diff --git a/setup/dns.sh b/setup/dns.sh index 3a7b1496..c7c64610 100755 --- a/setup/dns.sh +++ b/setup/dns.sh @@ -37,17 +37,16 @@ if [ ! -f "$STORAGE_ROOT/dns/dnssec/keys.conf" ]; then # Create the Key-Signing Key (KSK) (-k) which is the so-called # Secure Entry Point. Use a NSEC3-compatible algorithm (best - # practice), and a nice and long keylength. Use /dev/urandom - # instead of /dev/random for noise or else we'll be waiting - # a very long time. The domain name we provide ("_domain_") - # doesn't matter -- we'll use the same keys for all our domains. - KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 2048 -k -r /dev/urandom _domain_); + # practice), and a nice and long keylength. The domain name we + # provide ("_domain_") doesn't matter -- we'll use the same + # keys for all our domains. + KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 2048 -k _domain_); # Now create a Zone-Signing Key (ZSK) which is expected to be # rotated more often than a KSK, although we have no plans to # rotate it (and doing so would be difficult to do without # disturbing DNS availability.) Omit '-k' and use a shorter key. - ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 -r /dev/urandom _domain_); + ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a RSASHA1-NSEC3-SHA1 -b 1024 _domain_); # These generate two sets of files like: # K_domain_.+007+08882.ds <- DS record for adding to NSD configuration files diff --git a/setup/system.sh b/setup/system.sh index 4736663b..42cb0b3c 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -7,8 +7,12 @@ hide_output apt-get update hide_output apt-get -y upgrade # Install basic utilities. +# +# haveged: Provides extra entropy to /dev/random so it doesn't stall +# when generating random numbers for private keys (e.g. during +# ldns-keygen). -apt_install python3 python3-pip wget curl bind9-host +apt_install python3 python3-pip wget curl bind9-host haveged # Turn on basic services: # diff --git a/setup/webmail.sh b/setup/webmail.sh index f3ca1b6c..93e79889 100755 --- a/setup/webmail.sh +++ b/setup/webmail.sh @@ -36,7 +36,7 @@ if [ ! -d /usr/local/lib/roundcubemail ]; then fi # Generate a safe 24-character secret key of safe characters. -SECRET_KEY=$(dd if=/dev/urandom bs=20 count=1 2>/dev/null | base64 | fold -w 24 | head -n 1) +SECRET_KEY=$(dd if=/dev/random bs=20 count=1 2>/dev/null | base64 | fold -w 24 | head -n 1) # Create a configuration file. #