Sorry for the late reply. On February 19, 2005 10:29 am, [EMAIL PROTECTED] wrote: > Well, it seems the encrypted swap hint is actually quite complete. > I checked the source and all the new versions of loop_AES (> 3.0a) use, by > default, multi-keys encryption. There is no need of special boot scripts > anymore and GnuPG is not required for this. > > Anyway, I did build GnuPG on the HLFS by: > > patch -Np1 -i ../gnupg-1.4.0-loop_AES-3.0b.patch && > sed -e 's/^CFLAGS .*$/& -pie -fpie/g' \ > -i `find . -name Makefile.in` && > sed -e 's|/dev/urandom|/dev/frandom|g' -i configure && > ./configure --prefix=/usr --enable-static-rnd=linux \ > --disable-nls && > make && make install > > The question is 'what random device to use' ? > We can define the NAME_OF_DEV_RANDOM and NAME_OF_DEV_URANDOM > First, I thought about using frandom instead of urandom to be sure to have > always enough data but it seems not perfect for crypto and is not > recommanded. What do you think?
Frandom is tier three, urandom is tier two. Frandom uses a fresh seed, from urandom, each time frandom is opened, so I'm not totally against it being used for crypto keys, but urandom is more random.. less recycled. Erandom is totally unsafe for crypto because it is not seeded each use, its possible if someone rooted the box that they could reverse engineer the buffer in erandom to figure out all the random data it created previously since it was last manually seeded, but its fine for short lived stuff like mktemp. > Do people think about adding GnuPG in the book? > If not, I will add all this to the eswap-hint.txt It should be in (b)hlfs eventually, but not very soon. > PS: encrypting the /tmp could be really nice too but needs, like root > encryption, special partitioning before the build. Annoying. > > -- > Jerome Pinot > http://ngc891.blogdns.net/ -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
