[pkg-cryptsetup-devel] Bug#728197: Low entropy for encrypted swap partition
Milan Kral
milan.kral at azet.sk
Tue Oct 29 12:09:08 UTC 2013
Package: cryptsetup
Version: 2:1.6.1-1
Severity: important
Dear Maintainer,
I have added encrypted swap partition to /etc/crypttab exactly as
recommended in /usr/share/doc/cryptsetup/README.Debian.gz
cswap1 /dev/hdc1 /dev/urandom
swap,cipher=aes-cbc-essiv:sha256,size=256,hash=sha256
The problem is that in /etc/rcS.d the scripts S07cryptdisks-early,
S09cryptdisks are run before S13urandom. We are trying to read from
/dev/urandom before the Linux random number generator is properly
seeded. This can lead to predictable encryption key for the swap partition.
One solution would be to move S13urandom to S06urandom, but then the
random seed file /var/lib/urandom/random-seed muss be present before
mounting crypto partitions.
Please see also the comment "*2.2 How do I set up encrypted swap?"*
https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions#2._Setup
Again, the problem is that S13urandom is run only after S09cryptdisks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20131029/4b05f7bf/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list