urandom vs haveged

Gregory Maxwell gmaxwell at gmail.com
Tue Mar 27 03:23:06 UTC 2012

On Mon, Mar 26, 2012 at 6:55 PM, Chris Murphy <lists at colorremedies.com> wrote:
> So then the question is, if urandom is what's recommended, are faster substitutes just as good? If they are just as good, then why aren't they the first recommendation? And if this step is superfluous, then I'd suggest documentation be changed to eliminate the suggestion altogether.

Personally, I setup dmcrypt (w/o luks) first using /dev/urandom as the
key and one of the secure block modes (e.g. aes-lrw or aes-essiv).
Then I fill the dmcrypt device with /dev/zero.  This goes fairly fast,
filling the device with securely encrypted zeros.

Then I drop the volume and set up luks normally.

More information about the devel mailing list