Default configuration of rng-tools in Arch adds no real entropy to /dev/random

Really - front page? Read the comments. The bug was filed based on a packaged image for EC2. As stated there: rng-tools is not a required package for Arch.<p>edit: I understand the concern of RNGD_OPTS, but still think that if you&#x27;re installing rng-tools you should likely know what you&#x27;re doing with it. As stated by rng-tools:<p>&quot;... Using the standard open()and read() system calls, you can read random data from the hardware RNG device. This data is NOT CHECKED by any fitness tests, and could potentially be bogus (if the hardware is faulty or has been tampered with). Data is only output if the hardware &quot;has-data&quot; flag is set, but nevertheless a security-conscious person would run fitness tests on the data before assuming it is truly random.&quot;<p>...so, in all reality the flag should be unset forcing the user to select a hardware, or other RNG device. &#x2F;dev&#x2F;random is likely a very bad idea as a default.<p>So is any simplified facility that caches data from places like random.org and provides it as a continuous stream of large pools of entropy? It&#x27;d be nice if a data source such as that could be used as a simplistic way to bootstrap the entropy pool on a new system.

mtorromeo&#x27;s analogy is flawed.<p>With sshd, the user has to enable it (change startup settings or launch it manually) to become &quot;less secure&quot;. By contrast, with rng-tools, she must change settings to become _more secure_.<p>Ever heard of the term &quot;sane defaults&quot;? To me, sane defaults are ones that by default, out of the box, keep the user secure. Decreasing the user&#x27;s security, maybe to achieve increased functionality or ease of use, should require action on the part of the user. Why? Because history tells us that most users are lazy and will take little or no action. That includes action necessary to be secure.

Ouch. The assignee does not seem to care or understand why this this is a problem.

Are there online services that provide hardware based entropy? Found one: <a href="http://openfortress.org/cryptodoc/random/" rel="nofollow">http:&#x2F;&#x2F;openfortress.org&#x2F;cryptodoc&#x2F;random&#x2F;</a><p>The problem here is that to securely use entropy, an encrypted channel is needed, but it&#x27;s hard to establish one without a source of entropy.<p>Mobile and personal computing devices need to have hardware entropy. It should be required.

This is difficult to process.<p>Does rng-tools effectively do this?<p><pre><code> dd if=&#x2F;dev&#x2F;urandom of=&#x2F;dev&#x2F;urandom bs=512 count=1 </code></pre> Or is someone doing the (more) sensible thing of saving the random state at shutdown and reloading it at startup?