On Fri, 11 Jul 2014, Kynn Jones wrote: > The documentation in `man 4 random` (**Configuration** section) gives a > couple of shell-script snippets that it recommends should be added, > respectively, "to an appropriate script which is run during the Linux > start-up sequence" and "to an appropriate script which is run during the > Linux system shutdown". (It is silent on what those "appropriate scripts" > should be.)
Debian already does this properly in sysvinit mode. So Debian wheezy is covered. Refer to /etc/init.d/urandom For Debian jessie and sid, I haven't audited the systemd stuff to make sure this thing actually runs when it should, but there is code to initialize the random pool in systemd (file src/random-seed/random-seed.c). It looks like it does a slightly worse job than the sysvinit shell script (fails to mix in high-res current time), but this is should be harmless on recent kernels (which have a much better random subsystem initialization). systemd could be enhanced to do a lot better: mix in clock_gettime() output, and other variable and machine-specific data such as the kernel and systemd logbuffer, as well any other not-security-sensitive systemd state, all of it compressed[1] through a crypto hash. This is _NOT_ to "add randomness", although it will have a little entropy. This is a best-effort defense against equal pool state between otherwise nearly identical boxes[2], and it is valuable even when the kernel already tried to do it. [1] think of it as a extremely lossy compression: we only care to retain the entropy in the source data. [2] http://eprint.iacr.org/2012/064, https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs/ -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140711114612.gc25...@khazad-dum.debian.net