[pkg-cryptsetup-devel] Bug#728197: Low entropy for encrypted swap partition

Milan Kral milan.kral at azet.sk
Tue Oct 29 12:09:08 UTC 2013


Package: cryptsetup
Version: 2:1.6.1-1
Severity: important


Dear Maintainer,
I have added encrypted swap partition to /etc/crypttab exactly as
recommended in /usr/share/doc/cryptsetup/README.Debian.gz

cswap1 /dev/hdc1  /dev/urandom   
swap,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256

The problem is that in /etc/rcS.d  the scripts S07cryptdisks-early,
S09cryptdisks are run before S13urandom. We are trying to read from
/dev/urandom before the Linux random number generator is properly
seeded. This can lead to predictable encryption key for the swap partition.

One solution would be to move S13urandom to S06urandom, but then the
random seed file /var/lib/urandom/random-seed  muss be present before
mounting crypto partitions.

Please see also the comment "*2.2 How do I set up encrypted swap?"*

https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#2._Setup

Again, the problem is that S13urandom is run only after S09cryptdisks


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20131029/4b05f7bf/attachment.sig>


More information about the pkg-cryptsetup-devel mailing list