[Nix-dev] Why is rngd running by default?

[Lluís Batlle i Rossell]

On Mon, Dec 03, 2012 at 08:35:12AM +0100, Mathijs Kwik wrote:
> Shea Levy <shea at shealevy.com> writes:
> 
> > On 11/29/2012 02:00 AM, Mathijs Kwik wrote:
> >
> >     While at the subject of random number generation, I would like to plug the "frandom" package
> >     (+kernel module), , as it has been very useful to me. It is available in NixOS through the use of
> >     services.frandom.enable = true.
> >    
> >     It uses the kernel random device but provides an extremely fast /dev/frandom to use from
> >     userspace (20x speedup compared to /dev/urandom on my system). This makes it the perfect source
> >     for filling up disks before putting some full-disk-encryption on top of. 
> >
> > Something I've never understood about this technique... Why not just zero out the encrypted block
> > device? Won't that make the underlying device look effectively random?
> 
> It should indeed.
> I'm not a crypto expert at all, but I would think that knowing something
> about the data that's encrypted might give some advantage for cracking
> it. Also, if you choose to not zero out the full encrypted block
> device, but first put some partitions/volumes in it, then zero those,
> the fact you have these partitions/volumes might bleed through.
> 
> But like you say, it should just suffice. The only reason I do it like
> this is because almost every howto states you should do it.

I've the impression that encryption can bring cracking time from 5 minutes to
100 years, and then features like this filling of random data increase from 100
years to 200 years. :)

Regards,
Lluís.