Hi, we are using haveged in our VMs to feed the random pool and it seems to work good (means: statistical verification of the output looks good, nearly 0 entropy overestimation, but we never correlated output from cloned VMs).
I assume feeding the VMs from the host system can be problematic because the host system itself often doesn't have enough entropy. Much entropy is needed today for protocolls, session IDs and the elf_loader(!). Cheerio Thomas Am Montag 02 August 2010, 21:38:10 schrieb Yaron Sheffer: > Hi, > > the interesting thread on seeding and reseeding /dev/random did not > mention that many of the most problematic systems in this respect are > virtual machines. Such machines (when used for "cloud computing") are > not only servers, so have few sources of true and hard-to-observe > entropy. Often the are cloned from snapshots of a single virtual > machine, i.e. many VMs start life with one common RNG state, that > doesn't even know that it's a clone. > > In addition to the mitigations that were discussed on the list, such > machines could benefit from seeding /dev/random (or periodically > reseeding it) from the *host machine's* RNG. This is one thing that's > guaranteed to be different between VM instances. So my question to the > list: is this useful? Is this doable with popular systems (e.g. Linux > running on VMWare or VirtualBox)? Is this actually being done? > > Thanks, > Yaron > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com