1 |
On Fri, 26 Mar 2010 09:15:19 -0500 |
2 |
Brian Kroth <bpkroth@×××××.com> wrote: |
3 |
|
4 |
> This probably won't actually happen until some distant point in the |
5 |
> future, but I'm especially interested in getting it to virtual |
6 |
> machines. Unfortunately, from what I can find there's no nice |
7 |
> interface between the host's rng and the vm for vmware esx like there |
8 |
> is for kvm (eg: virtio_rng). Anyone know of one? |
9 |
|
10 |
The tool you previously mentioned, Entropy Broker, is amongst the |
11 |
better choices. |
12 |
|
13 |
> With the entropy broker the thing I'm not totally clear on is how |
14 |
> entropy bits transferred over the network (presumably without |
15 |
> encryption as that might require entropy) would be worthwhile |
16 |
> entropy? |
17 |
|
18 |
I believe Entropy Broker encrypts, so it should be safe in that |
19 |
respect. Not that it's much of a problem on a VM where the network |
20 |
cable in question is a completely virtual one. |
21 |
|
22 |
> What makes it different from the situation where you're |
23 |
> using the network device interrupts as an source of entropy? |
24 |
> Couldn't both be observable? |
25 |
|
26 |
Such interrupts aren't great choices for entropy because they're so |
27 |
easily manipulable, anyway. |
28 |
|
29 |
> Another question - I keep seeing people suggesting to hook rngd (from |
30 |
> rng-tools) up to /dev/urandom. Doesn't that just feed your system |
31 |
> entropy with an prng most of the time? I feel like this just gives |
32 |
> the illusion of a decent sized entropy pool. Might as well hook your |
33 |
> app up to /dev/urandom instead, correct? |
34 |
|
35 |
Yep. |
36 |
|
37 |
B. |