Entropy key configuration
The ekeyd daemon allows Entropy Keys to transfer their random data to the kernels random pool. The daemon configuration file is a series of statements each controlling an aspect of the daemons operation.
If this file does not exist the daemon will not start.
The different configuration options are:
TCPControlSocket TCP port number to listen on.
The daemon can be controlled using a TCP network connection. Any number of control connections may be made by repeating this statement with differnt port numbers, there is no authentication or protection against clients which connet to this interface. The socket is always bound to localhost (127.0.0.1).
UnixControlSocket UNIX domain socket to use.
The daemon is typically controlled using a unix domain socket (/var/run/ekeyd.sock). Authentication is as for any file on a UNIX filesystem.
Keyring The keyring file to use.
The Entropy Key encrypts the data it sends to the host. To successfully decrypt this data the host requires the current encryption key. The keyring is a file containing a list of serial numbers and encryption keys. The keyring is generally updated using the ekey-lt-rekey(8) tool.
SetOutputToKernel bits per byte to add to kernel pool.
The Kernel maintains an entropy pool into which the ekeyd(8) injects the entropy gathered from the Entropy Keys. The data gathered from the Entropy Keys may be considered to have one shannon per bit so every bit gathered from the devices may be injected into the kernel pool. However, by default, to be conservative only seven of eight bits are entered into the kernel pool.
EGDUnixSocket UNIX domain socket to use
In this mode, which is mutually exclusive with the SetOutputToKernel output mode, ekeyd(8) gathers the entropy from the attached Entropy Keys and presents an EGD(8) compatible interface on the named UNIX domain socket to access the data. This may optionally take an octal mode string and username and group to chmod and chown the socket to. If you do not wish to change the user or group, use empty strings. You cannot change the user/group without also providing a mode string. The default is to leave the user/group alone and set the socket to mode 0600
EGDTCPSocket TCP port number to listen on.
In this mode, which is mutually exclusive with the SetOutputToKernel output mode, ekeyd(8) gathers the entropy from the attached Entropy Keys and presents an EGD(8) compatible interface on a socket on the specified port to access the data. The socket is bound to localhost (127.0.0.1) by default, but a second optional string parameter can be used to specify a different IP address, so that the EGD protocol is exported more widely (e.g. for egd-linux to read from another machine).
AddEntropyKey Device node of entropy key.
Add an Entropy key to be managed by the ekeyd(8) daemon. The encryption key for the added device should be available in the keyring.
AddEntropyKeys Directory of device nodes of entropy keys.
Adds one or more Entropy keys to be managed by the ekeyd(8) daemon. The encryption key for the added devices should be available in the keyring. This is generally set to /dev/entropykey which is the location the default UDEV rules create symbolic links.
/etc/entropykey/resolv.conf, /var/run/ekeyd.sock, /dev/entropykey
Copyright © 2009 Simtec Electronics. All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.