[Nix-dev] Why is rngd running by default?
Mathijs Kwik
mathijs at bluescreen303.nl
Thu Nov 29 08:00:11 CET 2012
While at the subject of random number generation, I would like to plug the
"frandom" package (+kernel module), , as it has been very useful to me.
It is available in NixOS through the use of services.frandom.enable = true.
It uses the kernel random device but provides an extremely fast
/dev/frandom to use from userspace (20x speedup compared to /dev/urandom on
my system). This makes it the perfect source for filling up disks before
putting some full-disk-encryption on top of.
Failing to do so will make a disk vulnerable to forensic analysis, as
untouched/empty spots "shine through", but filling a 3TB disk with
/dev/urandom just takes the fun out of your newly-bought disk as it will
take more than 3 days. frandom will do so in a matter of hours (for non-ssd
disks, disk write speed will be the bottleneck, making a wipe essentially
as fast as dd'ing with /dev/zero.).
I understand rngd is about the opposite functionality (getting random into
the kernel instead of out), so this was probably a bit off-topic ;)
On Thu, Nov 29, 2012 at 1:08 AM, Peter Simons <simons at cryp.to> wrote:
> Hi Shea,
>
> > If your cpu doesn't support RdRand and you don't have either of those
> > devices, rngd won't get triggered to start (and if it did, it would
> > fail on startup).
>
> ah, I see. I didn't know about the RdRand CPU instruction. Thank you for
> the explanation.
>
> Take care,
> Peter
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20121129/05a5a937/attachment-0001.html
More information about the nix-dev
mailing list