ekeyd.conf - entropy key configuration
/etc/entropykey/resolv.conf
The ekeyd daemon allows Entropy Keys to transfer their
random data to the kernels random pool. The daemon configuration file is a
series of statements each controlling an aspect of the daemons
operation.
If this file does not exist the daemon will not start.
The different configuration options are:
- TCPControlSocket
TCP port number to listen on.
- The daemon can be controlled using a TCP network connection. Any number of
control connections may be made by repeating this statement with differnt
port numbers, there is no authentication or protection against clients
which connet to this interface. The socket is always bound to localhost
(127.0.0.1).
- UnixControlSocket
UNIX domain socket to use.
- The daemon is typically controlled using a unix domain socket
(/var/run/ekeyd.sock). Authentication is as for any file on a UNIX
filesystem.
- Keyring The
keyring file to use.
- The Entropy Key encrypts the data it sends to the host. To successfully
decrypt this data the host requires the current encryption key. The
keyring is a file containing a list of serial numbers and encryption keys.
The keyring is generally updated using the ekey-lt-rekey(8)
tool.
- SetOutputToKernel
bits per byte to add to kernel pool.
- The Kernel maintains an entropy pool into which the ekeyd(8)
injects the entropy gathered from the Entropy Keys. The data gathered from
the Entropy Keys may be considered to have one shannon per bit so every
bit gathered from the devices may be injected into the kernel pool.
However, by default, to be conservative only seven of eight bits are
entered into the kernel pool.
- EGDUnixSocket
UNIX domain socket to use
- In this mode, which is mutually exclusive with the
SetOutputToKernel output mode, ekeyd(8) gathers the entropy
from the attached Entropy Keys and presents an EGD(8) compatible
interface on the named UNIX domain socket to access the data. This may
optionally take an octal mode string and username and group to chmod and
chown the socket to. If you do not wish to change the user or group, use
empty strings. You cannot change the user/group without also providing a
mode string. The default is to leave the user/group alone and set the
socket to mode 0600
- EGDTCPSocket
TCP port number to listen on.
- In this mode, which is mutually exclusive with the
SetOutputToKernel output mode, ekeyd(8) gathers the entropy
from the attached Entropy Keys and presents an EGD(8) compatible
interface on a socket on the specified port to access the data. The socket
is bound to localhost (127.0.0.1) by default, but a second optional string
parameter can be used to specify a different IP address, so that the EGD
protocol is exported more widely (e.g. for egd-linux to read from another
machine).
- AddEntropyKey
Device node of entropy key.
- Add an Entropy key to be managed by the ekeyd(8) daemon. The
encryption key for the added device should be available in the
keyring.
- AddEntropyKeys
Directory of device nodes of entropy keys.
- Adds one or more Entropy keys to be managed by the ekeyd(8) daemon.
The encryption key for the added devices should be available in the
keyring. This is generally set to /dev/entropykey which is the
location the default UDEV rules create symbolic links.
/etc/entropykey/resolv.conf, /var/run/ekeyd.sock,
/dev/entropykey
Copyright © 2009 Simtec Electronics. All rights
reserved.
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to the
following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF
ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
USE OR OTHER DEALINGS IN THE SOFTWARE.