On Sunday 22 October 2006 06:16, Richard Freeman wrote: > 3. Generate a random encryption key (WHOA - why on earth is that script > using urandom for this - it only pulls 18 bytes - I just changed it to > /dev/random in mine (more secure in the event the entropy pool gets low > - although normally they are the same)). For those not in the know, > /dev/random blocks if it runs out of entropy, but /dev/urandom just > gives out a less random value. If you need 50MB of random data you have > to use urandom if you don't want to freeze the system for 12 hours, but > for 18 bytes we can afford to wait for quality data.
Nice catch. At this point in booting we should have plenty of entropy in the random pool. Would be wise to start service random a few steps back to make sure it's really random and not boot-sequence-pridictable-random, although the script is plenty paranoid. > > 4. /dev/(u)random dumps binary data - losetup wants something more sane > as a key, so uuencode is used to convert to text. No source of > compromise here - the original data was random so the uuencoded data is > still random (it is now constrained in potential output values, but is > longer which compensates). I actually ran this script many times without uuencode, just passing the random string to losetup without any complaints. glad i have uuencode now though ;) -Jason -- gpg public key: http://lazybird.hyperintelligent.net/~jbooth/jbooth_key.asc -- gentoo-amd64@gentoo.org mailing list
