Project

General

Profile

Feature #16891

Ensure enough entropy is available when setting up persistence

Added by segfault about 1 month ago. Updated about 1 month ago.

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

Copying from the description of #11897:

Given I just installed Tails on a USB stick
When I boot it for the first time
Then I want to have good entropy to create the persistent storage

This was supposed to be solved by #11897, but now that our recommended way to install Tails on a USB stick is via the USB Image instead of the Tails Installer, #11897 won't help much to solve this.


Related issues

Related to Tails - Feature #11897: Persist a random seed across boots Needs Validation 11/04/2016

History

#1 Updated by segfault about 1 month ago

#2 Updated by segfault about 1 month ago

I propose that in tails-persistence-setup, when creating the encrypted persistence partition, we check that the current entropy of the kernel's RNG is high enough to provide good random numbers for the LUKS key generation.

I found that the luks_format function in src/plugins/crypto.c in the libblockdev repo, which is used via udisks to format the persistent volume as LUKS, takes a min_entropy parameter and blocks until this amount of entropy is available. Unfortunately, udisks doesn't allow specifying this parameter and always sets it to 0.

But we can easily do this check ourselves, by reading /proc/sys/kernel/random/entropy_avail. This file contains the available entropy, in bits (see http://man7.org/linux/man-pages/man4/random.4.html). We should check that this is >= 256 (for the 256 bit AES key).

Also available in: Atom PDF