Persist entropy pool seeds
As a Tails user When I boot Tails with persistence enabled Then when an entropy is required, it would use the entropy pool seed
Rationale
Generating entropy on a live distribution is a tough problem. And this has impact to securely generate cryptographic keys, like for example for Pidgin-OTR, using SSH or generating a PGP key. We hope to improve this situation for users who enable the persistence storage option using some randomness from the previous session to help bootstrap with some “well” generated randomness.
Technical discussion
From the discussions and research on #7642 (closed) and #5650 (closed), it seems clear
that it would be good to persist entropy pool seeds
(/var/lib/random-seed
, /var/lib/urandom/random-seed
,
/var/lib/systemd/random-seed
, etc.) whenever possible.
It might even be that we want to do that by default when persistence is enabled (although it’s a hard decision to make, because it breaks one of the basic assumptions of how Tails works).
Still, note that these seeds won’t be used at early boot stage, but only once persistence is enabled. We should look at pointers on #6116 and evaluate how much of a problem it is in practice, in Tails use case.
Team
Team: segfault, bertagaz
Blueprint: https://tails.boum.org/blueprint/randomness_seeding/
Subtasks
Related issues
- Related to #7642 (closed)
- Related to #5650 (closed)
- Related to #7646 (closed)
- Related to #6116
- Is duplicate of #11897
Original created by @intrigeri on 7675 (Redmine)