undefined | Better HN

0 pointsslavik819y ago0 comments

The usual time I've been concerned has been after creating a new virtual machine. Right after creating a new DO droplet I need to do a bunch of things to set up my application, like seed my CSRF token generator.

Of course, /dev/random would block for ages at that point, so I instead generate the seed on a different machine.

0 comments

geofft9y ago

Ugh, yes, the practice of short-lived machines throws off the assumption of "when it was last shut down." You are totally right that this is a concern.

The ideal solution to this would be for hypervisors to just pass a random seed to their guests. (There is even a full virtio-rng device in qemu, it just seems to have /dev/random semantics from a quick glance.) I don't know how we get to the point of convincing the big cloud providers to start doing this, though.

jasonvorhe9y ago

Wouldn't it help to run something like havaged on the virtualization host that's feeding entropy to the virtualized nodes?

jquast9y ago

yes

j / k navigate · click thread line to collapse