> Date: Wed, 8 Nov 2017 18:23:11 +0100 > From: Maxime Villard <m...@m00nbsd.net> > > Le 08/11/2017 à 18:17, Maxime Villard a écrit : > > Le 08/11/2017 à 17:37, Taylor R Campbell a écrit : > >> What's the advantage of (a) changing the on-disk file hierarchy and > >> generating the data on shutdown, versus (b) leaving the on-disk file > >> hierarchy unchanged and generating the data on boot? > > > > The randomness of (b) is stronger than that of (a). But perhaps in a scale > > that is so insignificant that we actually don't care (?). > > obviously I meant the contrary: the randmoness of (a) is stronger than that > of (b), sorry about that
There is no meaningful difference between storing a seed on disk and storing the output of expanding that seed into a pad on disk. Either way the seed is derived from SHA1(entropypool) at the moment. We can argue about how to expand the seed (AES128-CTR-DRBG, SHAKE256, ChaCha, whatever) but the point remains the same. (Generally I would recommend SHAKE256 for ~everything here, since nobody will ever get fired for choosing NIST standards, and it obviously has an higher security margin than AES128, and I have a very small easy-to-audit implementation handy already that almost made it into src a couple years ago anyway but for possible incompatibility with OpenSSL's SHA-3 API in libc.)