This is a bit of a doozy, so if you just want the TL;DR, read the title! I use Debian 7 for all my servers.
I currently face a situation in my homelab where I have the need for a lot of good entropy in a few VMs, and a good source of it: a fileserver running a bunch of stuff with haveged. The fileserver however is not the hypervisor of the VMs, and those hypervisors suck entropy-wise. I need to get the entropy from fileserver to client.
I found entropy-broker, but it seems like massive overkill for me (or is it?), plus I hear it crashes a lot and is generally hard to get working properly. I have one "server" that will distribute to ~two dozen "clients".
In the mean time, I've written a simple script pair (using xinetd and nc, along with rngd) to "distribute" entropy from the one host to the other. However, inside this problem I'm stuck right now: should I even, and if so how, encrypt the stream from /dev/random?
On the fileserver, I'm running (with nc for functional demonstration):
cstream -t 8192 /dev/random | nc -l -p 22222
And on the clients (with nc part of the script):
nc fileserver 22222 > /tmp/fifo &
rngd -r /tmp/fifo -o /dev/random -t 1 -f
So, is this "secure" for actual crypto purposes in the target machine, as-is? It is a local network, but I could wish to send it to a remote VPS over the public Internet, and it might be concevable for someone to snoop the local network as well. Would that even matter if, say, they read that /dev/random stream right as I was generating an SSL key? And if so, how should I encrypt it, since any of "openssl", "mcrypt", "ccrypt", etc. block waiting for EOF in the decryption step (i.e. the following doesn't work as expected, and will show no data being written to the FIFO):
fileserver$ cstream -t 8192 /dev/random | mcrypt --flush --key herpaderp | nc -l -p 22222
client$ nc fileserver 22222 | mdecrypt --flush --key herpaderp > /tmp/fifo
I'm here to ask my fellow Linux admins, how would you solve this problem? How can I best get my fileserver entropy into my VMs, securely? And if my self-script solution is the best way, how can I encrypt and decrypt that stream of arbitrary data continuously?
EDIT: Thanks /u/redditrobert, for suggesting dd. This is working exactly as I hoped:
fileserver$ cstream -t 8192 /dev/random | mcrypt --flush --key herpaderp | nc -l -p 22222
client$ nc fileserver 22222 | dd bs=1k | mdecrypt --flush --key herpaderp > /tmp/fifo
[link][9 comments]