about summary refs log tree commit diff
path: root/doc/s6-fillurandompool.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/s6-fillurandompool.html')
-rw-r--r--doc/s6-fillurandompool.html74
1 files changed, 74 insertions, 0 deletions
diff --git a/doc/s6-fillurandompool.html b/doc/s6-fillurandompool.html
new file mode 100644
index 0000000..777307e
--- /dev/null
+++ b/doc/s6-fillurandompool.html
@@ -0,0 +1,74 @@
+<html>
+  <head>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta http-equiv="Content-Language" content="en" />
+    <title>s6-linux-utils: the s6-fillurandompool program</title>
+    <meta name="Description" content="s6-linux-utils: the s6-fillurandompool program" />
+    <meta name="Keywords" content="s6 linux administration root utilities random urandom /dev/urandom entropy pool getrandom getentropy" />
+    <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> -->
+  </head>
+<body>
+
+<p>
+<a href="index.html">s6-linux-utils</a><br />
+<a href="http://skarnet.org/software/">Software</a><br />
+<a href="http://skarnet.org/">skarnet.org</a>
+</p>
+
+<h1> The <tt>s6-fillurandompool</tt> program </h1>
+
+<p>
+<tt>s6-fillurandompool</tt> blocks until the machine's
+<tt>/dev/urandom</tt> entropy pool is filled up. Then it exits.
+</p>
+
+<h2> Interface </h2>
+
+<pre>
+     s6-fillurandompool
+</pre>
+
+<h2> Rationale </h2>
+
+<p>
+ For some reason, Linux has <em>two</em> separate entropy pools: one for
+<tt>/dev/random</tt> and one for <tt>/dev/urandom</tt>.
+</p>
+
+<p>
+ Reading from <tt>/dev/random</tt> blocks when its entropy pool is
+not full enough, so it will never return weak random data. (Reading
+from <tt>/dev/random</tt> is overkill anyway, and
+<a href="http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/">you
+should not be doing it.</a>)
+</p>
+
+<p>
+ However, reading from <tt>/dev/urandom</tt> (which
+<a href="http://www.2uo.de/myths-about-urandom/">you should be doing</a>)
+will not block, even though the entropy pool may not have been
+initialized yet. That's the only insecure thing about it: at boot time,
+<tt>/dev/urandom</tt> may return weak random data, until its entropy
+pool has filled up.
+</p>
+
+<p>
+ <tt>s6-fillurandompool</tt> is meant to address this issue. Call it once
+early on in your boot scripts, before you need any serious random data;
+when it exits, the <tt>/dev/urandom</tt> pool has been properly initialized,
+and it is now safe to read from <tt>/dev/urandom</tt> every time you need
+random data, until the machine shuts down.
+</p>
+
+<h2> Notes </h2>
+
+<ul>
+ <li> <tt>s6-fillurandompool</tt> will only work on a Linux kernel version
+3.17 or later: this is when the
+<a href="http://man7.org/linux/man-pages/man2/getrandom.2.html"><tt>getrandom()</tt></a>
+system call, which it internally uses, has been implemented. </li>
+</ul>
+
+</body>
+</html>