How to prep the /dev/random device in FreeBSD 4.x
Copyright © 2002-2005 by Doug Barton, DougB@FreeBSD.org
How to prep the /dev/random device in FreeBSD 4.x
Copyright © 2002-2005 by Doug Barton, DougB@FreeBSD.org
What is the /dev/random device?
Most modern Unix operating systems contain a /dev/random device which passes out
more or less random numbers. These devices are referred to as Pseudo-Random
Number Generators, or PRNGs. (Generating "truly" random numbers usually
requires special hardware.) These random numbers are used for all sorts of things,
like ssh keys, SSL keys, TCP/IP sequence numbers, etc.
What is the difference between /dev/random and /dev/urandom?
The /dev/random device hands out "high-quality" random bits, up to the limit of the
"random" information it has been seeded with. The /dev/urandom device does not
have this limitation. It continues to hand out bits of decreasing quality as long as it is polled.
What is rndcontrol?
rndcontrol is the tool used to tell the system which IRQs it should use to seed
the PRNG with bits of entropy. It can be used from the command line when you first set it up,
but most commonly it is called as part of the boot process by /etc/rc.
How do I choose my IRQs?
You want to use devices for entropy that have plenty of unpredictable activity. If you have a
keyboard or mouse attached to the system, these are generally good IRQs to use. Systems connected
to a network should use the IRQ of the ethernet card(s). Disk devices also provide useful entropy.
You'll want to determine what IRQs are assigned to which devices:
# grep -i irq /var/run/dmesg.boot ata0: at 0x1f0 irq 14 on atapci0 ata1: at 0x170 irq 15 on atapci0 uhci0:Since I have a standard keyboard and a USB mouse attached to this system, IRQs 1, 5, 10, and 14 are good choices.port 0xd400-0xd41f irq 5 at device 4.2 on pci0 intpm0: port 0xe800-0xe80f irq 9 at device 4.3 on pci0 intpm0: intr IRQ 9 enabled revision 0 ahc0: port 0xd000-0xd0ff mem 0xd4800000-0xd4800fff irq 5 at device 9.0 on pci0 pcm0: port 0xb800-0xb81f irq 12 at device 10.0 on pci0 fxp0: port 0xb000-0xb03f mem 0xd3800000-0xd38fffff,0xd4000000-0xd4000fff irq 10 at device 11.0 on pci0 fdc0: port 0x3f7,0x3f2-0x3f5 irq 6 drq 2 on acpi0 sio0 port 0x3f8-0x3ff irq 4 on acpi0 sio1 port 0x2f8-0x2ff irq 3 on acpi0 atkbdc0: port 0x64,0x60 irq 1 on acpi0 atkbd0: flags 0x1 irq 1 on atkbdc0 sio4: <3Com U.S.Robotics 56K FAX Internal> at port 0x3e8-0x3ef irq 7 on isa0
# rndcontrol -s 1 rndcontrol: setting irq 1 rndcontrol: interrupts in use: 1 # rndcontrol -s 5 rndcontrol: setting irq 5 rndcontrol: interrupts in use: 1 5 # rndcontrol -s 10 rndcontrol: setting irq 10 rndcontrol: interrupts in use: 1 5 10 # rndcontrol -s 14 rndcontrol: setting irq 14 rndcontrol: interrupts in use: 1 5 10 14Before I forget, I like to add these values to /etc/rc.conf[.local]
Your /dev/random device will now be seeding with the entropy from the devices you have selected. As time goes by, the level of "high-quality" randomness available will increase. It should not take too long for there to be more than enough randomness to run things like rndc-confgen or dnssec-keygen from BIND, for example.
What about FreeBSD 5 and beyond?
In FreeBSD 5 we introduced a vastly superior method of random number generation. In addition to better protection
for the internal state of the PRNG, and better overall quality of the random bits,
FreeBSD 5 and beyond come configured
out of the box with very lightweight entropy gathering routines already enabled.
Additional resources
man 4 random
man rndcontrol