[Nix-dev] Why is rngd running by default?
Lluís Batlle i Rossell
viric at viric.name
Mon Dec 3 08:45:37 CET 2012
On Mon, Dec 03, 2012 at 08:35:12AM +0100, Mathijs Kwik wrote:
> Shea Levy <shea at shealevy.com> writes:
>
> > On 11/29/2012 02:00 AM, Mathijs Kwik wrote:
> >
> > While at the subject of random number generation, I would like to plug the "frandom" package
> > (+kernel module), , as it has been very useful to me. It is available in NixOS through the use of
> > services.frandom.enable = true.
> >
> > It uses the kernel random device but provides an extremely fast /dev/frandom to use from
> > userspace (20x speedup compared to /dev/urandom on my system). This makes it the perfect source
> > for filling up disks before putting some full-disk-encryption on top of.
> >
> > Something I've never understood about this technique... Why not just zero out the encrypted block
> > device? Won't that make the underlying device look effectively random?
>
> It should indeed.
> I'm not a crypto expert at all, but I would think that knowing something
> about the data that's encrypted might give some advantage for cracking
> it. Also, if you choose to not zero out the full encrypted block
> device, but first put some partitions/volumes in it, then zero those,
> the fact you have these partitions/volumes might bleed through.
>
> But like you say, it should just suffice. The only reason I do it like
> this is because almost every howto states you should do it.
I've the impression that encryption can bring cracking time from 5 minutes to
100 years, and then features like this filling of random data increase from 100
years to 200 years. :)
Regards,
Lluís.
More information about the nix-dev
mailing list