Thor Lancelot Simon <tls%panix.com@localhost> writes: > shuts down, again all entropy samples that have been added (which, again, > are accumulating in the per-cpu pools) are propagated to the global pool; > all the stream RNGs rekey themselves again; then the seed is extracted. It seems obvious to me that "extracting" the seed should be done in such a way that the state of the internal rng is still unpredictable from the saved seed, even if the state of the newly-booted rng will be predictable. Perhaps by pulling 256 bytes from urandom, perhaps by something more direct and then some sort of hash/rekey to get back traffic protection. Probably this is already done in a way much better thought out than my 30s reaction, the man page doesn't really say this, at least that I could follow; rndctl -S says "save entropy pool".
Attachment:
signature.asc
Description: PGP signature