RDRAND and other (in)secure sources of entropy

I was looking for guides about securly managing GPG/SSH keys, when i fell in to a rabbit hole.

A guide I found recommended a ChaosKey when generating , and I started researching hwrng.
I then discovered RDRAND and the RPi hwrng, which both seem to be considered unsafe because they can’t be audited.

  1. Does anyone know if SOC hwrngs are unsafe in an airgapped enviorment.
  2. Are there any alternatives to buying a HWRNG usb key for like $50 USD? Any cool diy projects that don’t involve BGA soldering.
  3. Does anyone know of any actually good guides for storing GPG and SSH keys. My current idea was using pass with a usb drive and then a separate dongle for a GPG key, like a yubi key.
1 Like

Point a shitty webcam at high-ish ISO at a board populated with color changing LEDs?

Similar to this system here but using this here:

The candle LEDs contain a logic circuit with that seems to be psudo-random.
[Can’t post my link, made a new forum account today]

Measuring the entropy for a static LED would theoretically be better.

The timing in the self contained blinking LEDs is widely inacurate. So in an 8x8 grid, you would quickly get completly random drift. Question is how you turn that into a useable value.

Should be able to post it when you put it between code tags:

[code]<link here>[/code]

Don’t need to type out code either. Backticks surrounding the text does the same. The purpose is to prevent spammers. This will go away for when you reach trust level 1 or ‘member’ level.

1 Like

What are you using these keys for - how frequently? how widely do you need the public key distributed?

e.g. for ssh:

Yubico, google security keys, various laptop fingerprint things that interact with TPMs in laptops, and similar are nice since they require you to move your arm and touch them or click them in order to sign/authenticate. You end up with a password + a hardware key that requires physical presence as a 2nd factor every time you want to establish a new ssh session. It’s kind of OK as a workflow.
Big caveat is that you should periodically test your backup keys (e.g. once a month) and once a year you should look at the offline copy of the key in your safe.

Each hardware token solution comes with its own instructions on how to integrate with ssh (spoiler they mostly piggyback on the agent protocol - so some setup is required on your laptop/workstation that you physically interact with), they all cost between 10 and 50 for a pair depending on features / convenience / brand.