diff options
Diffstat (limited to 'doc/s6-fillurandompool.html')
| -rw-r--r-- | doc/s6-fillurandompool.html | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/doc/s6-fillurandompool.html b/doc/s6-fillurandompool.html deleted file mode 100644 index c07b0f4..0000000 --- a/doc/s6-fillurandompool.html +++ /dev/null @@ -1,74 +0,0 @@ -<html> - <head> - <meta name="viewport" content="width=device-width, initial-scale=1.0" /> - <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> - <meta http-equiv="Content-Language" content="en" /> - <title>s6-linux-utils: the s6-fillurandompool program</title> - <meta name="Description" content="s6-linux-utils: the s6-fillurandompool program" /> - <meta name="Keywords" content="s6 linux administration root utilities random urandom /dev/urandom entropy pool getrandom getentropy" /> - <!-- <link rel="stylesheet" type="text/css" href="//skarnet.org/default.css" /> --> - </head> -<body> - -<p> -<a href="index.html">s6-linux-utils</a><br /> -<a href="//skarnet.org/software/">Software</a><br /> -<a href="//skarnet.org/">skarnet.org</a> -</p> - -<h1> The <tt>s6-fillurandompool</tt> program </h1> - -<p> -<tt>s6-fillurandompool</tt> blocks until the machine's -<tt>/dev/urandom</tt> entropy pool is filled up. Then it exits. -</p> - -<h2> Interface </h2> - -<pre> - s6-fillurandompool -</pre> - -<h2> Rationale </h2> - -<p> - For some reason, Linux has <em>two</em> separate entropy pools: one for -<tt>/dev/random</tt> and one for <tt>/dev/urandom</tt>. -</p> - -<p> - Reading from <tt>/dev/random</tt> blocks when its entropy pool is -not full enough, so it will never return weak random data. (Reading -from <tt>/dev/random</tt> is overkill anyway, and -<a href="https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/">you -should not be doing it.</a>) -</p> - -<p> - However, reading from <tt>/dev/urandom</tt> (which -<a href="https://www.2uo.de/myths-about-urandom/">you should be doing</a>) -will not block, even though the entropy pool may not have been -initialized yet. That's the only insecure thing about it: at boot time, -<tt>/dev/urandom</tt> may return weak random data, until its entropy -pool has filled up. -</p> - -<p> - <tt>s6-fillurandompool</tt> is meant to address this issue. Call it once -early on in your boot scripts, before you need any serious random data; -when it exits, the <tt>/dev/urandom</tt> pool has been properly initialized, -and it is now safe to read from <tt>/dev/urandom</tt> every time you need -random data, until the machine shuts down. -</p> - -<h2> Notes </h2> - -<ul> - <li> <tt>s6-fillurandompool</tt> will only work on a Linux kernel version -3.17 or later: this is when the -<a href="https://man7.org/linux/man-pages/man2/getrandom.2.html"><tt>getrandom()</tt></a> -system call, which it internally uses, has been implemented. </li> -</ul> - -</body> -</html> |