On Tue, Apr 01, 2008 at 08:02:19PM -0400, Kent Borg wrote: > Nomen Nescio wrote: > >I used the Ubuntu wiki's instructions to set up encrypted swap on my > >computer, then I noticed whenever I booted it up, it would sit for a > >while until I hit return a few times. > > > >I think I figured out that the problem is /dev/random is "close to > >empty" when the computer's just booted, so I changed the line in > >/etc/crypttab to use /dev/urandom instead. That fixed it, so now it > >keeps going through the boot-up stuff right away. > > > > The problem isn't that the computer doesn't have much entropy when it > first boots (it stores the "pool" at last shutdown), the problem is that > it is being drained as you initialize your swap. Hmm. It seems to do this is indeed customary, but it is not done buy the kernel itself. Being paranoid, if you have a crash or a hard reboot, you would reuse something close to the entropy pool from your last boot. > >How insecure is it? > > > > Using /dev/urandom? Quite secure. > > Entropy estimation is a very tricky problem, and exactly when > /dev/random halts is kind of arbitrary. > > When your computer first boots it probably has a full entropy pool. That > is equivalent 4096 coin tosses: very hard to guess. The clues to those > 4096-bits of entropy left in your swap are not > easy to analyze. Want to be extra secure? Hit return a few times during > boot even if you do use /dev/urandom. Given that the advice in random.c (and what Debian does) is preserving 512 pool bytes during shutdown, 4096 is an upper estimate. It could be a lot less of entropy in there. > How motivated is your foe? Unless someone very well funded--and very > motivated--is after your secrets, you are safe. And even if the > NSA/FBI/CIA *really* are interested in your bits, they still might not > be any better off if you use /dev/urandom instead of /dev/random. > /dev/urandom produces very high quality random bits. I agree on this analysis. The stored pool-bits should fix the initialisation issue. And there is also that really interessting things like keys typically do not end up in swap anyways. One of the reasons why things like gpg run as suid root. They can lock memory (prevent it from being swapped out) that way and use that memory for key storage. > -kb, the Kent who is a professional who has been payed to engineer high > quality random numbers. Crypto or simulation? Just curious. I have done a bit of porting of MT19937 way back, but I am certainly not an expert in non-crypto randomness. Arno -- Arno Wagner, Dipl. Inform., CISSP --- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
