Bug#728197: [pkg-cryptsetup-devel] Bug#728197: Low entropy for encrypted swap partition

[Guilhem Moulin]

On Tue, 29 Oct 2013 at 13:09:08 +0100, Milan Kral wrote
> The problem is that in /etc/rcS.d  the scripts S07cryptdisks-early,
> S09cryptdisks are run before S13urandom. We are trying to read from
> /dev/urandom before the Linux random number generator is properly
> seeded. This can lead to predictable encryption key for the swap
> partition.

That's problematic, indeed.  For the record, the situation doesn't seem
to be better with systemd:

    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    Sep 16 18:35:40 debian kernel: random: udevadm: uninitialized urandom read 
(16 bytes read, 1 bits of entropy available)
    […]
    Sep 16 18:35:40 debian systemd[1]: Found device /dev/vda1.
    Sep 16 18:35:40 debian systemd[1]: Starting Cryptography Setup for swap...
    Sep 16 18:35:41 debian kernel: device-mapper: uevent: version 1.0.3
    Sep 16 18:35:41 debian systemd-cryptsetup[518]: Set cipher aes, mode 
xts-plain64, key size 256 bits for device /dev/vda1.
    Sep 16 18:35:41 debian mkswap[576]: Setting up swapspace version 1, size = 
64 MiB (67072000 bytes)
    Sep 16 18:35:41 debian mkswap[576]: no label, 
UUID=eca1d0f8-e1da-4ed6-867c-86c4bfca92f5                                       
                   
    Sep 16 18:35:41 debian systemd[1]: Started Cryptography Setup for swap.
    Sep 16 18:35:41 debian systemd[1]: Reached target Encrypted Volumes.
    Sep 16 18:35:41 debian systemd[1]: Found device /dev/mapper/swap.
    Sep 16 18:35:41 debian systemd[1]: Activating swap /dev/mapper/swap...
    Sep 16 18:35:41 debian systemd[1]: Activated swap /dev/mapper/swap.
    Sep 16 18:35:41 debian systemd[1]: Reached target Swap.
    Sep 16 18:35:41 debian kernel: Adding 65500k swap on /dev/mapper/swap.  
Priority:-1 extents:1 across:65500k FS  
    […]
    Sep 16 18:35:44 debian login[662]: ROOT LOGIN  on '/dev/tty1'
    Sep 16 18:35:48 debian kernel: random: nonblocking pool is initialized

(Note the “random: nonblocking pool is initialized” at the very end,
long after initializing swap, even after login.)

-- 
Guilhem.

signature.asc
Description: PGP signature