On Thu, Jun 13, 2019 at 05:06:16PM +1000, Dr Paul Dale wrote: > > The second suggestion is broadly similar but requires a file containing > entropy that persists across reboots. This alternative requires a more > management: the entropy file once read needs to be rewritten immediately (and > ideally on shutdown as well). It also introduces a new attack vector against > the entropy storage. It also isn’t possible to skip the entropy file > read/rewrite sequence because it is impossible to determine if /dev/urandom > has actually been seeded. I’ve not attempted to code this, persistent files > containing seed material potentially introduce other problems.
This is what init systems have always done. I see no need to also do it. They have a policy not to credit that the entropy from that file, I see no reason why we should override that policy. Kurt
