Re: where to set/override entropy $random_file location?

[Steve Rikli <sr%genyosha.net@localhost>]

On Sun, Oct 12, 2025 at 07:50:10AM -0400, Greg Troxel wrote:
> Steve Rikli <sr%genyosha.net@localhost> writes:
> 
> > So I have a working setup if needed, but I think there's a disconnect
> > in how/where $random_file is set, or documentation, or both.  From the
> > man page it seems like /etc/rc.d/random_seed is intended to source
> > /etc/security.conf but it's apparently not happening.
> 
> My quick reaction is that while getting entropy is security-relevant,
> this situation doesn't make sense.  Reading code briefly, I think
> /etc/security is saving entropy daily so that if there is a reboot,
> there will be fresher bits.

That was my impression too.

Followup question: is there any impact if /etc/security (cron daily),
and /etc/rc.d/random_seed (during boot), and /boot.cfg (also during
boot) use different $random_file location and contents?

That seems... untidy :-) to me, but aside from my personal opinion, I
think at least the documented behavior and config file comments should
be sorted out to reflect reality.

It's worth noting that sysinst creates a working entropy config during
initial install, as you'd hope.  E.g. if / and /var/ are separate
filesystems, sysinst creates /boot.cfg with these rndseeds:

  menu=Boot normally:rndseed /etc/entropy-file;boot
  menu=Boot single user:rndseed /etc/entropy-file;boot -s

and /etc/rc.conf gets this setting:

  random_file=/etc/entropy-file

this is functional and requires no manual changes, so that's good. But
again it doesn't match security.conf(5) documentation or the
/etc/defaults/{security,rc}.conf contents, and will result in a separate
/var/db/entropy-file being created by /etc/security.

> I'd say:
> 
>   The location of the file should be defined in one place, and rc.conf
>   is the right place.

I tend to agree. Given sysinst behavior, I'm inclined to suggest moving
this line:

  random_file=/var/db/entropy-file

from /etc/defaults/security.conf into /etc/defaults/rc.conf , and
similarly moving the security.conf(5) entry for "random_file" into the
rc.conf(5) man page. /etc/security would need updating in that case,
to define the new method for determining $random_file location.

>   I'm unclear on whether we have not-set/fallback as a preferred pattern
>   in rc.d, vs set-in-defaults/use-it.  I suspect we can avoid this
>   question.

Probably right. I do like having /etc/defaults/*.conf list all the
possible variables which could be set in the corresponding /etc/*.conf,
as well as documented in their man pages. This is my sysadmin side
speaking, rather than a strict coding requirement.  :-)

>   There is a separate config knob about whether /etc/security should
>   save random_seed daily.  Arguably a boolean variable in
>   /etc/security.conf could enable that.

Fwiw FreeBSD appears to do this with /etc/crontab running a script
/usr/libexec/save-entropy, which sources /etc[/defaults]/rc.conf for
the entropy_* variables.

>   If /etc/security wants to save random_seed, I think it should just
>   "/etc/rc.d/random_seed stop", which is sort of abusive because it
>   relies on knowing that stop is save not stop, but maybe we can add a
>   "checkpoint" verb.

Yes, it does seem like /etc/security should also have some update, at
least if $random_file config setting is defined in rc.conf .

sr.