2 files changed, 34 insertions, 5 deletions

diff --git a/internal/configfile/config_file.go b/internal/configfile/config_file.go
index fea4a84..67d67f0 100644
--- a/internal/configfile/config_file.go
+++ b/internal/configfile/config_file.go
@@ -5,7 +5,9 @@ package configfile
 import (
 	"encoding/json"
 	"fmt"
+	"io"
 	"io/ioutil"
+	"log"
 
 	"github.com/rfjakob/gocryptfs/internal/contentenc"
 	"github.com/rfjakob/gocryptfs/internal/cryptocore"
@@ -47,10 +49,25 @@ type ConfFile struct {
 	filename string
 }
 
+// randBytesDevRandom gets "n" random bytes from /dev/random or panics
+func randBytesDevRandom(n int) []byte {
+	f, err := os.Open("/dev/random")
+	if err != nil {
+		log.Panic("Failed to open /dev/random: " + err.Error())
+	}
+	defer f.Close()
+	b := make([]byte, n)
+	_, err = io.ReadFull(f, b)
+	if err != nil {
+		log.Panic("Failed to read random bytes: " + err.Error())
+	}
+	return b
+}
+
 // CreateConfFile - create a new config with a random key encrypted with
 // "password" and write it to "filename".
 // Uses scrypt with cost parameter logN.
-func CreateConfFile(filename string, password string, plaintextNames bool, logN int, creator string, aessiv bool) error {
+func CreateConfFile(filename string, password string, plaintextNames bool, logN int, creator string, aessiv bool, devrandom bool) error {
 	var cf ConfFile
 	cf.filename = filename
 	cf.Creator = creator
@@ -72,7 +89,12 @@ func CreateConfFile(filename string, password string, plaintextNames bool, logN
 	}
 
 	// Generate new random master key
-	key := cryptocore.RandBytes(cryptocore.KeyLen)
+	var key []byte
+	if devrandom {
+		key = randBytesDevRandom(cryptocore.KeyLen)
+	} else {
+		key = cryptocore.RandBytes(cryptocore.KeyLen)
+	}
 
 	// Encrypt it using the password
 	// This sets ScryptObject and EncryptedKey
diff --git a/internal/configfile/config_test.go b/internal/configfile/config_test.go
index dc796ea..b984a37 100644
--- a/internal/configfile/config_test.go
+++ b/internal/configfile/config_test.go
@@ -60,7 +60,7 @@ func TestLoadV2StrangeFeature(t *testing.T) {
 }
 
 func TestCreateConfDefault(t *testing.T) {
-	err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", false)
+	err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", false, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -80,8 +80,15 @@ func TestCreateConfDefault(t *testing.T) {
 	}
 }
 
+func TestCreateConfDevRandom(t *testing.T) {
+	err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", false, true)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestCreateConfPlaintextnames(t *testing.T) {
-	err := CreateConfFile("config_test/tmp.conf", "test", true, 10, "test", false)
+	err := CreateConfFile("config_test/tmp.conf", "test", true, 10, "test", false, false)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -102,7 +109,7 @@ func TestCreateConfPlaintextnames(t *testing.T) {
 
 // Reverse mode uses AESSIV
 func TestCreateConfFileAESSIV(t *testing.T) {
-	err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", true)
+	err := CreateConfFile("config_test/tmp.conf", "test", false, 10, "test", true, false)
 	if err != nil {
 		t.Fatal(err)
 	}