Re: dropbear delayed startup
-----BEGIN PGP SIGNED MESSAGE-----
cryptsetup does not encrypted filesystems, so you must be mistaken
if you believe that you are "remote unlocking of encrypted
filesystems" with cryptsetup. Be specific about your configuration,
this is important in this case. Those looking for assistance are in
no position to be determining what is and/or is not important.
Are you perchance taking about fully encrypted systems as in:
What issue do you have, sounds like you are just generally concerned.
You should direct concerns to the authors of the software you are
concerned about, no many others would care or be in any position to
If you followed the above instructions it's possible that during the
start of dropbear there is vary little entropy required/used until you
auth over ssh. If you skipped the step where of saving host keys into
your initrd, then this could be your issue as dropbear's initscripts
should 'block' startup while entropy is collected.
Is that the behavior you are seeing? If each startup is generating
ssh host keys, that's vary bad and should be avoided.
AUMK urandom is not delayed if there is no entropy available.
Applications should not be looking there for entropy, that would be a
bug in the application. I'm unfamiliar with a method for determining
the entropy of bytes read from urandom, an interesting concept.
Only a dropbear developer would be able to insist that urandom is only
used when appropriate. Only you can prevent the re-generation of ssh
On 02/12/13 10:55, Lukas Schwaighofer wrote:
> I started using remote unlocking of encrypted filesystems within
> the initramdisk (as provided by the cryptsetup/dropbear packets)
> some time ago. However I am worried because of the potentially low
> entropy during the execution of the initramfs and dropbear using
> /dev/urandom as a source for randomness.
> /usr/share/doc/cryptsetup/README.remote.gz from my installed
> cryptsetup (2:1.4.3-4) states in the Issues section, that the ssh
> daemon (dropbear) "might be delayed until enough entropy has been
> retrieved". I couldn't find any other references of dropbear
> delaying startup due to low entropy. In the dropbear code I could
> only find graceful handling of a blocking random source but no
> builtin delay mechanism.
> Can anyone confirm that dropbear does delay startup if the kernel
> is low on entropy?
> Thanks Lukas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
-----END PGP SIGNATURE-----