summaryrefslogtreecommitdiff
path: root/files/ekeyd.conf
blob: 76a36f1cc3ddf4b525353975a1efcce568d7ea4f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
-- -*- Lua -*-

-- Sample configuration file for ekeyd

-- -----------------------------------------------[ General setup ]-----

-- If you want a TCP control socket on 127.0.0.1 then uncomment this
-- command.
-- Please note that there is no protection on a TCP socket, anyone on
-- the box can connect to it and there is no authentication process.
-- TCPControlSocket "1234"

-- The unix control socket is typically what we use
UnixControlSocket "/var/run/ekeyd.sock"

-- The keyring contains the keys for the long-term rekey If you change
-- this location from the default then be aware that the
-- long-term-rekey tool may not work.
Keyring "/etc/entropykey/keyring"

-- The daemon background operation may be supressed. In this mode the
-- daemon will run in the foreground and the controlling tty will not
-- be released.
-- Daemonise(false)

-- -------------------------------------------------[ Output Mode ]-----

-- Only one output mode is permitted to be active. Typically on Linux
-- that would be the kernel output mode, however instead you can opt
-- to use the EGD interface. Various other daemons then support taking
-- EGD interfaces and adding entropy to the kernel instead, allowing
-- multiple clients to retrieve entropy by various means.

-- The SetOutputToKernel option places all the gathered entropy into
-- the kernel pool. The data placed into the kernel pool is
-- conservatively estimated to contain 7 shannons of entropy per byte
-- added.
-- Note that the data coming from the UDEKEY01 should have one Shannon
-- of entropy per bit so this value could quite safely be set to
-- 8. The default value only has the effect of reducing the rate
-- entropy is mixed into the kernel pool and no other adverse
-- affect. This default is selected as an conservative choice which is
-- generally preferable when dealing with random sources.
SetOutputToKernel(7)

-- The daemon may support the EGD (Entropy Gathering Daemon) socket
-- protocol. There are two choice to create either a TCP or Unix
-- socket which speaks the EGD protocol.
-- Note that you cannot have kernel output *and* EGD output, they are
-- mutually exclusive.
-- The EGD protocol support assumes entropy coming off the ekeys is at
-- the level of 8 shannons per byte and this cannot be changed as it
-- is a limitation of the EGD protocol itself.  The TCP socket can be
-- given an optional parameter to specify the IP address to bind to.
-- It will default to 127.0.0.1 if not specified.

-- EGDTCPSocket(8888 --[[, "127.0.0.1" ]])
-- EGDUnixSocket "/etc/entropy"

-- EGDUnixSocket can optionally take an octal mode string and
-- username and group to chmod and chown the socket to.
-- If you do not wish to change the user or group, use empty strings.
-- You cannot change the user/group without also providing a mode string.
-- The default is to leave the user/group alone and set the socket to
-- mode 0600
-- EGDUnixSocket("/etc/entropy", "0660", "root", "entropyusers")

-- The SetOutputToFile option writes all gathered entropy to the named
-- file. No additional processing is performed. The output file must
-- exist before the daemon is run. This option is generally only
-- useful if the user wishes to gather data for subsequent testing.
-- Note as with all the other output options this may be the only
-- output selection and may not be used with either the kernel or EGD
-- output enabled.

-- SetOutputToFile "/tmp/entropy" 

-- -----------------------------------------------[ Device Config ]-----

-- Add entropy keys from /dev/entropykey where our default udev rules
-- will place symbolic links (on GNU/Linux operating systems).
AddEntropyKeys "/dev/entropykey"
-- Also add keys from /var/run/entropykeys where the UNIX domain socket
-- rules will place sockets if using them.
AddEntropyKeys "/var/run/entropykeys"
-- On OpenBSD/MirBSD you will probably need to use something like this
-- instead (match the device minor (here: 0) with the ucom(4) instance
-- your umodem(4) device attaches to):
-- AddEntropyKey "/dev/cuaU0"