Re: [Users] virtio-rng / crypto inside vms
haveged is worth mentioning as pretty good alternative solution http://www.issihosts.com/haveged/ Cheers, Juergen On Fri, Dec 13, 2013 at 9:32 AM, Sven Kieske s.kie...@mittwald.de wrote: Answering myself, it seems virtio-rng will be in 3.4: https://bugzilla.redhat.com/show_bug.cgi?id=977079 But I don't find it in the planning: https://docs.google.com/spreadsheet/ccc?key=0AuAtmJW_VMCRdHJ6N1M3d1F1UTJTS1dSMnZwMF9XWVEusp=sharing#gid=0 Nevertheless it would be cool if someone could give some advice how to handle entropy until 3.4 gets released (and I have time to upgrade). Am 13.12.2013 09:09, schrieb Sven Kieske: Hi, I'm just wondering: How is the state of the virtio-rng implementation? I'm asking because I need to regenerate ssh host keys in newly deployed vms. (I seem to be the only person, or everybody else has found the solution, or nobody thinks about security, or a mixture of the above?) Additional I found no really guidance on how much entropy bits should be available to generate a secure key inside a vm, beside these numbers: http://www.ietf.org/rfc/rfc1750.txt suggests about 128 bits of entropy for a single cryptographic operation. various other sources mention ranges between 100-200 or even at least 4096 entropy bits. Would it be a workaround to add a virtual sound device and use this one for /dev/random ? (But it would be useless if you have no real sound hardware I guess). Additional when you want to regenerate host keys in e.g. Ubuntu 3 Keys get generated so you need even more entropy to be on the save side. If you got any links to best practices or some good news regarding the state of virtio-rng that would be awesome. Currently my vms have around 130-160 entropy bits available. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Sent from the Delta quadrant using Borg technology! ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
[Users] virtio-rng / crypto inside vms
Hi, I'm just wondering: How is the state of the virtio-rng implementation? I'm asking because I need to regenerate ssh host keys in newly deployed vms. (I seem to be the only person, or everybody else has found the solution, or nobody thinks about security, or a mixture of the above?) Additional I found no really guidance on how much entropy bits should be available to generate a secure key inside a vm, beside these numbers: http://www.ietf.org/rfc/rfc1750.txt suggests about 128 bits of entropy for a single cryptographic operation. various other sources mention ranges between 100-200 or even at least 4096 entropy bits. Would it be a workaround to add a virtual sound device and use this one for /dev/random ? (But it would be useless if you have no real sound hardware I guess). Additional when you want to regenerate host keys in e.g. Ubuntu 3 Keys get generated so you need even more entropy to be on the save side. If you got any links to best practices or some good news regarding the state of virtio-rng that would be awesome. Currently my vms have around 130-160 entropy bits available. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] virtio-rng / crypto inside vms
Answering myself, it seems virtio-rng will be in 3.4: https://bugzilla.redhat.com/show_bug.cgi?id=977079 But I don't find it in the planning: https://docs.google.com/spreadsheet/ccc?key=0AuAtmJW_VMCRdHJ6N1M3d1F1UTJTS1dSMnZwMF9XWVEusp=sharing#gid=0 Nevertheless it would be cool if someone could give some advice how to handle entropy until 3.4 gets released (and I have time to upgrade). Am 13.12.2013 09:09, schrieb Sven Kieske: Hi, I'm just wondering: How is the state of the virtio-rng implementation? I'm asking because I need to regenerate ssh host keys in newly deployed vms. (I seem to be the only person, or everybody else has found the solution, or nobody thinks about security, or a mixture of the above?) Additional I found no really guidance on how much entropy bits should be available to generate a secure key inside a vm, beside these numbers: http://www.ietf.org/rfc/rfc1750.txt suggests about 128 bits of entropy for a single cryptographic operation. various other sources mention ranges between 100-200 or even at least 4096 entropy bits. Would it be a workaround to add a virtual sound device and use this one for /dev/random ? (But it would be useless if you have no real sound hardware I guess). Additional when you want to regenerate host keys in e.g. Ubuntu 3 Keys get generated so you need even more entropy to be on the save side. If you got any links to best practices or some good news regarding the state of virtio-rng that would be awesome. Currently my vms have around 130-160 entropy bits available. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [Users] virtio-rng / crypto inside vms
Entropy starvation isn't that common so for the vast majority of users it's not something that concerns them. But obviously it's important enough that we invested in creating a paravirtualized solution. RHEL 6.4 and 6.5 includes support within QEMU for virt-rng but not in libvirt. RHEL 6.6 will pickup the appropriate libvirt support for virtio-rng and it is in RHEL 7 beta. If I remember correctly it's in fedora 19 and later. If you are compiling your own then you need a QEMU version 1.3 or later and libvirt 1.0.3 or later. virt-rng is something we'd like to finish off in 3.4 it's effectively done already. The challenge will be where it's supported - since EL6 hosts won't be able to use it unless we get creative. If you're running on ovirt 3.2+ now with Fedora 19+ hosts then you can use a vdsm hook[1] to configure virt-rng for your guests. The XML required to inject in the hook would be relatively simple[2] On the topic of EL6 (before 6.6 comes out) then there is a way to work around this. libvirt has a mechanism to pass through qemu command line options[3] . It's somewhere inbetween a great hack and a risky solution - but it's certainly helped up out many times. With this qemu namespace option in libvirt you could easily make it work in a custom hook on EL6. Aic [1] http://www.ovirt.org/VDSM-Hooks [2] http://libvirt.org/formatdomain.html#elementsRng [3] http://libvirt.org/drvqemu.html#qemucommand - Original Message - From: Sven Kieske s.kie...@mittwald.de To: users@ovirt.org Sent: Friday, December 13, 2013 3:32:22 AM Subject: Re: [Users] virtio-rng / crypto inside vms Answering myself, it seems virtio-rng will be in 3.4: https://bugzilla.redhat.com/show_bug.cgi?id=977079 But I don't find it in the planning: https://docs.google.com/spreadsheet/ccc?key=0AuAtmJW_VMCRdHJ6N1M3d1F1UTJTS1dSMnZwMF9XWVEusp=sharing#gid=0 Nevertheless it would be cool if someone could give some advice how to handle entropy until 3.4 gets released (and I have time to upgrade). Am 13.12.2013 09:09, schrieb Sven Kieske: Hi, I'm just wondering: How is the state of the virtio-rng implementation? I'm asking because I need to regenerate ssh host keys in newly deployed vms. (I seem to be the only person, or everybody else has found the solution, or nobody thinks about security, or a mixture of the above?) Additional I found no really guidance on how much entropy bits should be available to generate a secure key inside a vm, beside these numbers: http://www.ietf.org/rfc/rfc1750.txt suggests about 128 bits of entropy for a single cryptographic operation. various other sources mention ranges between 100-200 or even at least 4096 entropy bits. Would it be a workaround to add a virtual sound device and use this one for /dev/random ? (But it would be useless if you have no real sound hardware I guess). Additional when you want to regenerate host keys in e.g. Ubuntu 3 Keys get generated so you need even more entropy to be on the save side. If you got any links to best practices or some good news regarding the state of virtio-rng that would be awesome. Currently my vms have around 130-160 entropy bits available. -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
