On Mon, Mar 25, 2024 at 4:33 PM Björn Persson <Bjorn@rombobjörn.se> wrote: > > In a quest to acquire hardware random number generators for seeding > /dev/random on servers that lack a built-in entropy source, I'm > investigating how random data can be obtained from a security key such > as a Nitrokey, Yubikey or a similar device.
Out of morbid curiosity, what hardware are the servers using? RDRAND and RDSEED have been available since about 2012, so it is mostly ubiquitous nowadays. > RNGD version 6 from https://github.com/nhorman/rng-tools can fetch > random data through a PKCS #11 interface, but the two versions of RNGD > in Debian seem to lack that ability. Debian has rng-tools5 and > rng-tools-debian, but not Neil Horman's version 6. Or am I just failing > to find it? Be careful of rng-tools. It does not do a good job for non-mainstream generators, like VIA's Padlock Security Engine. And rng-tools did not support generators for architectures, like you would find on ARM, aarch64 and PowerPC. > SCDrand from https://incenp.org/dvlpt/scdtools.html can also obtain > random data from a "smartcard"-compatible device, but I don't find that > in Debian either. > > Does anyone know of another way to obtain random data from devices of > this kind? PKCS#11 is a standard interface. If the card provides a generator, then the code is the same for all cards. OpenSSL and GnuPG should be able to extract the entropy from the card, and then use it to seed /dev/{u}random. But keep in mind ... the kernel crypto folks effectively deprecated /dev/random, and recommend using /dev/urandom for your random bits. Or use getrandom(2). See <https://lkml.org/lkml/2017/7/20/993>. Jeff
