Qubes Split Entropy (/dev/random)?

39 views
Skip to first unread message

Nicklaus McClendon

unread,
May 21, 2016, 3:18:58 AM5/21/16
to qubes-devel
In a typical Qubes scenario, most users generate their GPG keys in a separate VM with relatively low usage activity. This can lead to a long key generation period. Overall this is nothing but an inconvenience, but what if it could be fixed? Could there be a VM that somehow stores entropy? It would of course have to be ultimately trusted, as it would be passing randomly generated bits to secure domains. I can't speak technically from exactly how the entropy would be generated, however, I would personally like to have a separate AppVM that I could attach a hardware RNG (like the NeuG) to feed the entire system in a secure manner.

Andrew David Wong

unread,
May 21, 2016, 3:37:20 AM5/21/16
to Nicklaus McClendon, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
There's been a lot of discussion about this in the past. Here are the
main issues to read through:

https://github.com/QubesOS/qubes-issues/issues/673
https://github.com/QubesOS/qubes-issues/issues/1311

The current solution is to use haveged, which should already be
pre-installed in recent Qubes versions.

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXQBAcAAoJENtN07w5UDAwo+8QAJrmptqZdjaAbGrHg7rUkDom
RSTjkcqk5GIJCptG8gFq+UkgyHtX0Erb62M5/eAdTfUHAuKMGxtNcQkrkYlWOqgn
g6sLoVgHnQYS59MvbCkvIvYnrLgjscJwKdYCWv1cOixyv1X6mZalMsN6cPFRYCaD
B7oE7YvD/CNLGLK5Q7NcGUOV9euQ3foL1bvANePWFpdcdWscF0TBgsGVktevf8eg
w/hcy481XrYc/Ki20zz7O+rKMigmx7JL5RKkzGyo+NnLyUQTtvVlCdFO/zhpjKRv
2bSsvUbi8jiFaD5yMNdJ6HdOG/8GTqWYTiIdc4uGePjTDVsNq1Uz/YHqNW3U9/fE
9ASUwHzEi2GImiezvTbgxtUZ+HxTaq3xCdJlB0PKQ09z1oqSEQyMsVXe/+T/uBus
V2uKn7Udk7DYlADRMpYMe+4MCUZC5PNFPRPjqEinBv9X/2s0197vcVSR9IpsR8ar
htkIRr5FFQqKg/C9PYBiAwnPKwkBnLJ4/guTGA/92Okd02aeFlJoLsWK371YV97G
10XTyYpEhIExSiBNNOv1meCgEZY5JYDEfR/B7cQfDg3mjYbgYCMFdP6gH4ct5v6j
VDiMaJfGJfQR0K8G1/G1z0r2d9s2U8SRVb6rQmmU/j/CzOvofxaUE1RZbfnZJopZ
Csyr87vLnJM3G6qEtxGU
=mvrY
-----END PGP SIGNATURE-----

Reply all
Reply to author
Forward
0 new messages