NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: bin/55917: /etc/rc.d/cgd stalls on encrypted swap partitions

The following reply was made to PR bin/55917; it has been noted by GNATS.

From: Taylor R Campbell <>
Subject: Re: bin/55917: /etc/rc.d/cgd stalls on encrypted swap partitions
Date: Sun, 10 Jan 2021 19:14:39 +0000

 > Date: Sun, 10 Jan 2021 18:40:43 +0000 (UTC)
 > From:
 > /etc/rc.d/cgd stalls in cgdconfig -C on encrypted swap partitions
 > when following /
 Side note: that's an old version of the guide; the one that is
 maintained is <>.
 I'm not really sure why we have a snapshot of the guide in the wiki;
 we should maybe get rid of it and make it redirect.
 > The stall happens only during boot. When invoking /etc/rc.d/cgd
 > after completion of the boot process, cgdconfig does not stall. See
 > cgdconfig(8) for an explanation:
 >      urandomkey         The method simply reads /dev/urandom and uses the
 >                         resulting bits as the key.  This is similar to the
 >                         randomkey method, but it guarantees that cgdconfig
 >                         will not stall waiting for hard-random bits (usef=
 >                         when configuring a cgd for swap at boot time).
 > Please replace randomkey with urandomkey in section "Using a
 > random-key cgd for swap".
 If randomkey stalls at boot when you try to configure cgd, that
 indicates that you probably don't have enough entropy to safely
 generate an unpredictable key.
 So if you switched it to urandomkey on a machine where it hangs with
 randomkey, the encrypted swap wouldn't actually provide much security.
 That said, in netbsd-current (which will become NetBSD 10), there is a
 much better approach: setting vm.swap_encrypt=3D1 with sysctl; we will
 probably turn it on by default on some architectures too.

Home | Main Index | Thread Index | Old Index