[147856] in cryptography@c2.net mail archive
Re: [Cryptography] provisioning a seed for /dev/urandom
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Sun Oct 27 01:11:05 2013
X-Original-To: cryptography@metzdowd.com
Date: Sat, 26 Oct 2013 12:58:28 -0400
From: Theodore Ts'o <tytso@mit.edu>
To: David Mercer <radix42@gmail.com>
In-Reply-To: <CADpjbE3Vs_gJJH76QJWXTCvyyFA5AS9tHD0qUPxqL14vP7K=Pg@mail.gmail.com>
X-SA-Exim-Mail-From: tytso@thunk.org
Cc: Cryptography Mailing List <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sat, Oct 26, 2013 at 03:49:15AM +0800, David Mercer wrote:
>
> Unfortunately access to the host hypervisor's /dev/urandom isn't normally
> available.
virtio-rng has been around for over 5 years, and it specifically
provides access to the host's /dev/random and makes it available via
/dev/hw_random; you then run rng-tools on the guest. Qemu/kvm uses
virtio-rng. I'm not sure about Xen, but if it doesn't, boo, hiss to
the Xen folks, especially since the paravirtualized interface has been
around for so long.
> You aren't going to have lots high quality randomness available via
> /dev/random on the hypervisor in currently deployed VM hosting environments.
There is typically plenty of interrupts from your network and storage
devices which should provide plenty of entropy for the hypervisor.
- Ted
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
