[Nix-dev] Why is rngd running by default?

Shea Levy shea at shealevy.com
Mon Dec 3 05:18:04 CET 2012 

On 11/29/2012 02:00 AM, Mathijs Kwik wrote:
> While at the subject of random number generation, I would like to plug 
> the "frandom" package (+kernel module), , as it has been very useful 
> to me. It is available in NixOS through the use of 
> services.frandom.enable = true.
>
> It uses the kernel random device but provides an extremely fast 
> /dev/frandom to use from userspace (20x speedup compared to 
> /dev/urandom on my system). This makes it the perfect source for 
> filling up disks before putting some full-disk-encryption on top of.
>

Something I've never understood about this technique... Why not just 
zero out the encrypted block device? Won't that make the underlying 
device look effectively random?

> Failing to do so will make a disk vulnerable to forensic analysis, as 
> untouched/empty spots "shine through", but filling a 3TB disk with 
> /dev/urandom just takes the fun out of your newly-bought disk as it 
> will take more than 3 days. frandom will do so in a matter of hours 
> (for non-ssd disks, disk write speed will be the bottleneck, making a 
> wipe essentially as fast as dd'ing with /dev/zero.).
>
> I understand rngd is about the opposite functionality (getting random 
> into the kernel instead of out), so this was probably a bit off-topic ;)
>
>
>
>
> On Thu, Nov 29, 2012 at 1:08 AM, Peter Simons <simons at cryp.to 
> <mailto:simons at cryp.to>> wrote:
>
>     Hi Shea,
>
>      > If your cpu doesn't support RdRand and you don't have either of
>     those
>      > devices, rngd won't get triggered to start (and if it did, it would
>      > fail on startup).
>
>     ah, I see. I didn't know about the RdRand CPU instruction. Thank
>     you for
>     the explanation.
>
>     Take care,
>     Peter
>
>     _______________________________________________
>     nix-dev mailing list
>     nix-dev at lists.science.uu.nl <mailto:nix-dev at lists.science.uu.nl>
>     http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
>
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20121202/679dc062/attachment.html

More information about the nix-dev mailing list