Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hardware Random Number Generation

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    1 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michaelschefczyk
      last edited by

      Dear Developers,

      Please consider adding hardware random number generation support. I am interested in this, but not fully knowledgeable about the subject. Currently, I am using pfSense on some Intel Atom CPU C2758 machines. For OpenVPN with the usual CBC-AES, I would find it desirable, if random number generation issues could be eradicated. I was thinking about the possibilities of using TrueRNG, so I wrote to the developers at ubld.it Their kind response was:

      "While nobody here has officially tested the TrueRNG with FreeBSD, I feel very confident that it should be able to access the device. As for seeding the entropy in the system, that is another matter. Typically on a Linux based system, we install rngd (from the rng-tools package) and configure it to read from the TrueRNG device, it then takes care of providing the kernel with entropy which is used throughout the system. Not being very proficient in FreeBSD I cannot comment much further." … "On Linux, pseudorandom comes from /dev/urandom, and true random comes from /dev/random, on OSX they are merged using the Yarrow method and /dev/random and /dev/urandom are the same device, (providing a mix of pseudo and non pseudo).  My research tells me that FreeBSD also does Yarrow so it should be the same as osx.  With a rngd on osx seeding /dev/random what happens is if available true rng entropy is available, it is served to the application requesting it, if the pool is low, it provides pseudorandom.  That being said, if our device was seeding the pool, the requests from an application requiring entropy would be getting true random data. All in all, I don't know enough about your particular application to comment further.  If you wanted to purchase the device and take a stab at getting it running I will be happy to try and help further it along if you get stuck, but in a nutshell once the device is enumerated over usb, it should just be a matter of compiling rngd for your system (or finding a precompiled package) and setting up the config file."

      Please take into account, if such hardware would be benficial to pfSense.

      Regards,

      Michael Schefczyk

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.