Timeline for Feeding /dev/random entropy pool?
Current License: CC BY-SA 2.5
11 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 19, 2014 at 13:18 | review | Suggested edits | |||
| Oct 19, 2014 at 15:51 | |||||
| May 1, 2012 at 8:38 | comment | added | Yoav Aner | Nice idea, and an impressive list of products, but to be honest, I still prefer installing one component (haveged) and not having to worry about it. I doubt haveged's entropy is less secure than that of urandom, but I don't have the knowledge or expertise to evalute this. | |
| Apr 30, 2012 at 22:58 | comment | added | D.W. | Thanks, @YoavAner. I set up a separate question to try to identify any configuration changes needed to avoid this situation: What do I need to configure, to make sure my software uses /dev/urandom?. | |
| Apr 30, 2012 at 22:31 | comment | added | Yoav Aner | Thanks @D.W. I know that urandom should solve this, but I'm not sure all components on my system use it necessarily. For example, it must be some component of lighttpd web server, or openssl or who-knows-what that were getting funny. | |
| Apr 30, 2012 at 22:18 | comment | added | D.W. |
@YoavAner, the reason you are having problems is probably because you are using /dev/random. Don't do that. You should use /dev/urandom. Then you won't have those problems -- and it will be secure. See Feeding /dev/random entropy pool?, Is a rand from /dev/urandom secure for a login key?, Pseudo Random Generator is not initialized from the (entropy pool)?. Short version: use /dev/urandom, not /dev/random.
|
|
| Apr 30, 2012 at 10:21 | comment | added | Polynomial | If I remember correctly, a few of the major entropy sources are CPU registers that get modified very frequently to reasonably random values. Unfortunately, virtualisation negatively impacts the randomness of those registers due to more predictable scheduling of threads. A solution is to have a HRNG on the bare metal server, then make it available to the VMs. | |
| Apr 30, 2012 at 9:28 | comment | added | Yoav Aner | @D.W. from my experience with VPS servers, where there is no real external entropy source like keyboard, mouse etc, the entropy pool gets very low and it seems to affect things like SSL. It might still work but it feels like things are running slower. After installing haveged (see another answer below), things were running much more smoothly. Perhaps there was something else I could have fixed, or did something wrong, but I'm not sure you can always rely on your kernel as your entropy source... | |
| Jan 17, 2011 at 5:57 | comment | added | D.W. | You could do that, I suppose, but why bother? There is no reason to. It's unnecessary. The kernel already feeds /dev/random and /dev/urandom with sufficient entropy for these purposes. Save your time for something that will actually improve security. Or, to put it another way, the question asked whether we would suggest adding extra entropy. The best answer is: No, there's no need to add extra entropy. Just go ahead and use /dev/urandom as is. | |
| Dec 11, 2010 at 10:12 | vote | accept | tkit | ||
| Nov 13, 2010 at 9:51 | vote | accept | tkit | ||
| Dec 11, 2010 at 10:12 | |||||
| Nov 12, 2010 at 12:18 | history | answered | Henri | CC BY-SA 2.5 |