From f3c777d5eaa682d878c638192311e52f9c204294 Mon Sep 17 00:00:00 2001
From: Sebastian Lackner
Date: Sun, 19 Nov 2017 13:30:04 +0100
Subject: main: Add '-devrandom' commandline option

Allows to use /dev/random for generating the master key instead of the
default Go implementation. When the kernel random generator has been
properly initialized both are considered equally secure, however:

* Versions of Go prior to 1.9 just fall back to /dev/urandom if the
  getrandom() syscall would be blocking (Go Bug #19274)

* Kernel versions prior to 3.17 do not support getrandom(), and there
  is no check if the random generator has been properly initialized
  before reading from /dev/urandom

This is especially useful for embedded hardware with low-entroy. Please
note that generation of the master key might block indefinitely if the
kernel cannot harvest enough entropy.
---
 Documentation/MANPAGE.md | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'Documentation/MANPAGE.md')

diff --git a/Documentation/MANPAGE.md b/Documentation/MANPAGE.md
index efb8565..d3a6c81 100644
--- a/Documentation/MANPAGE.md
+++ b/Documentation/MANPAGE.md
@@ -51,6 +51,13 @@ be suitable.
 #### -d, -debug
 Enable debug output
 
+#### -devrandom
+Use /dev/random for generating the master key instead of the default Go
+implementation. This is especially useful on embedded systems with Go versions
+prior to 1.9, which fall back to weak random data when the getrandom syscall
+is blocking. Using this option can block indefinitely when the kernel cannot
+harvest enough entropy.
+
 #### -extpass string
 Use an external program (like ssh-askpass) for the password prompt.
 The program should return the password on stdout, a trailing newline is
-- 
cgit v1.2.3