seeding randomness in zee cloud
Dirk-Willem van Gulik
dirkx at webweaving.org
Fri May 31 10:26:56 UTC 2013
Thanks to a badly-written mngt script - we've rencently noticed a freshly generated ssh-key on a new AWS instances to be indentical to one seen a few months prior.
Careful analysis of some other logs showed that we've had similar clashes on another script just after startup generating a very short x509 CSR. It happens quite rarely though. But still.
I am surmising that perhaps the (micro-T) images do not have that much entropy on startup.
So I am wondering how to best make our images 'more random' -- and want to avoid the linux/openstack suggestion of doing this through the boot-params  (as in our
case it is the operator of the machine we're protecting/guarding against accusations/temptations).
Now we happen to have very easy access to blocks of 1024bits of randomness from a remote server in already nicely PKI signed packages (as it is needed later for something else).
Is it safe to simply *add* those with:
# fetch randomness & check signature
# Seed Software random generator
cat rnd > /dev/random
# Activate software random generator as an additional source
Or does this cause a loss/reset of all entropy gathered by the hardware sofar ? Or is there a cleaner way to add a additional seed as a one-off with disturbing as little as possible (in the few seconds just after the network is brought up).
FWIIW: this is the output of sysctl kern.random.
More information about the freebsd-hackers