Start up entropy gathering
kurt at roeckx.be
Thu Jun 13 21:38:08 UTC 2019
On Thu, Jun 13, 2019 at 05:06:16PM +1000, Dr Paul Dale wrote:
> The second suggestion is broadly similar but requires a file containing entropy that persists across reboots. This alternative requires a more management: the entropy file once read needs to be rewritten immediately (and ideally on shutdown as well). It also introduces a new attack vector against the entropy storage. It also isn’t possible to skip the entropy file read/rewrite sequence because it is impossible to determine if /dev/urandom has actually been seeded. I’ve not attempted to code this, persistent files containing seed material potentially introduce other problems.
This is what init systems have always done. I see no need to also
do it. They have a policy not to credit that the entropy from that
file, I see no reason why we should override that policy.
More information about the openssl-project