[guardian-dev] using /dev/random in openssl

ShootAKite at riseup.net ShootAKite at riseup.net
Thu Mar 27 23:39:06 EDT 2014


To get good entropy install OpenBSD[1] on a VM with network adapter
permanently disabled and use /dev/arandom.  If possible use a PEM pass
phrase so you have the countermeasure of "forgetting the password" if
under a lavabit attack.  RSA 2048 bit  theretically will require quantum
computers to crack unless someone comes up with more efficient math to
crack the RSA algorithm.
A

[1] http://www.openbsd.org/ftp.html#mirrors

On 03/27/2014 08:11 PM, Hans-Christoph Steiner wrote:
> Anyone have any opinions about generating keys with openssl using /dev/random
> on GNU/Linux? i.e.
>
>   openssl genrsa -out key.pem -rand /dev/random 2048
>
> I figure there had been many flaws related to poorly seeded and implemented
> CSPRNGs that might as well just use pure random.  Sure, it takes a lot longer,
> but its only once.
>
> .hc



More information about the Guardian-dev mailing list