1 |
On Sunday 22 October 2006 06:16, Richard Freeman wrote: |
2 |
> 3. Generate a random encryption key (WHOA - why on earth is that script |
3 |
> using urandom for this - it only pulls 18 bytes - I just changed it to |
4 |
> /dev/random in mine (more secure in the event the entropy pool gets low |
5 |
> - although normally they are the same)). For those not in the know, |
6 |
> /dev/random blocks if it runs out of entropy, but /dev/urandom just |
7 |
> gives out a less random value. If you need 50MB of random data you have |
8 |
> to use urandom if you don't want to freeze the system for 12 hours, but |
9 |
> for 18 bytes we can afford to wait for quality data. |
10 |
|
11 |
Nice catch. At this point in booting we should have plenty of entropy in the |
12 |
random pool. Would be wise to start service random a few steps back to make |
13 |
sure it's really random and not boot-sequence-pridictable-random, although |
14 |
the script is plenty paranoid. |
15 |
> |
16 |
> 4. /dev/(u)random dumps binary data - losetup wants something more sane |
17 |
> as a key, so uuencode is used to convert to text. No source of |
18 |
> compromise here - the original data was random so the uuencoded data is |
19 |
> still random (it is now constrained in potential output values, but is |
20 |
> longer which compensates). |
21 |
I actually ran this script many times without uuencode, just passing the |
22 |
random string to losetup without any complaints. glad i have uuencode now |
23 |
though ;) |
24 |
|
25 |
-Jason |
26 |
|
27 |
-- |
28 |
gpg public key: http://lazybird.hyperintelligent.net/~jbooth/jbooth_key.asc |
29 |
|
30 |
-- |
31 |
gentoo-amd64@g.o mailing list |