Remove ekeyd (#7687) · Issues · tails / tails

Remove ekeyd

Originally created by @sajolida on #7687 (Redmine)

In a WhisperBack bug report, someone suggested to remove ekeyd from Tails

Tails automatically starts up ekeyd, the Entropy Key Daemon, which looks for any attached Entropy Key device and uses it as a source of randomness for the kernel. This is all well and good, except for one fact: no one uses Entropy Key. Not only is it rare, but it’s been out of stock for a very long time, and unlikely to come back soon. There are far more popular external TRNGs out there, many of which have their own daemons. That makes you think, why should Tails have an extra daemon running as root, who’s purpose is to mess with the kernel entropy pool, if it’s so seldom ever used? All it takes is an attacker to find a bug that allows them to fill the entropy pool with bogus data, which isn’t unlikely when ekeyd has /dev/random open for writing constantly and constantly keeps looking for an Entropy Key.

Please remove ekeyd. It’s unneccessary and its presence just increases the attack surface area of Tails.

Related issues

Related to #5650 (closed)
Related to #11703 (closed)

_Originally created by @sajolida on [#7687 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/7687)_

In a WhisperBack bug report, someone suggested to remove ekeyd from
Tails

Tails automatically starts up ekeyd, the Entropy Key Daemon, which looks
for any attached Entropy Key device and uses it as a source of
randomness for the kernel. This is all well and good, except for one
fact: no one uses Entropy Key. Not only is it rare, but it’s been out of
stock for a very long time, and unlikely to come back soon. There are
far more popular external TRNGs out there, many of which have their own
daemons. That makes you think, why should Tails have an extra daemon
running as root, who’s purpose is to mess with the kernel entropy pool,
if it’s so seldom ever used? All it takes is an attacker to find a bug
that allows them to fill the entropy pool with bogus data, which isn’t
unlikely when ekeyd has /dev/random open for writing constantly and
constantly keeps looking for an Entropy Key.

Please remove ekeyd. It’s unneccessary and its presence just increases
the attack surface area of Tails.

### Related issues

- **Related to** tails/tails#5650
  - **Related to** tails/tails#11703

Edited May 15, 2020 by sajolida

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.