GameboyRMH's Journal: Web-based randomness seeding script

Computers have trouble generating good-quality random numbers. The only decent source of randomness used by the average PC, without user interaction, is hard drive sensor noise. On a single-board computer or VM (or perhaps even a computer with just an SSD?) the situation is a bit scary if you think about it. These are the computers you're generating your cryptographic keys on.

Infosec professionals often suggest half-jokingly that there's some NSA conspiracy keeping HRNGs out of everyday computers. HRNGs do cost money, but there are some high-quality sources of HRNG-generated randomness you can access online for free, a few even anonymously. I've written a script (adapted from one in a /dev/urandom manpage) that will seed your /dev/urandom from these and then save a file with some /dev/urandom output for later use, in case your computer is offline. Run it on startup:

#! /bin/bash
 
echo "Downloading random strings and seeding to /dev/urandom..."
curl -s "https://www.random.org/strings/?num=8&len=16&unique=on&digits=on&upperalpha=on&loweralpha=on&format=plain&rnd=new" > /dev/urandom
curl -s "https://beacon.nist.gov/beacon/2.0/pulse/last" | grep -A 2 uri | grep -i value > /dev/urandom
curl -sL "https://random.uchile.cl/beacon/2.0/pulse/last" | grep -A 2 uri | grep -i value > /dev/urandom
curl -s --insecure "https://beacon.inmetro.gov.br/beacon/2.0/pulse/last" | grep -A 2 uri | grep -i value > /dev/urandom
wget -qO - "https://qrng.anu.edu.au/API/jsonI.php?length=10&type=hex16&size=2" | cut -d ":" -f 5 > /dev/urandom
curl -s "https://drand.cloudflare.com/api/public" > /dev/urandom
echo "Loading and rewriting random seed..."
random_seed=/var/run/random-seed #file for holding random data
# Carry a random seed from start-up to start-up
# Load and then save the whole entropy pool
if [ -f $random_seed ]; then
    cat $random_seed > /dev/urandom
else
    touch $random_seed
fi
chmod 600 $random_seed
poolfile=/proc/sys/kernel/random/poolsize
[ -r $poolfile ] && bytes=`cat $poolfile` || bytes=4096
dd if=/dev/urandom of=$random_seed count=1 bs=$bytes

It would be a good idea to keep the random seed data file that could potentially be the primary source of randomness on your computer's startup inaccessible to non-root users, but you could modify this to generate a second file just for sharing with other computers.