Just a few thoughs I had when it becomes to create entropy
As I was setting up an OpenVPN tunnel, I had to create my certificates and keys. And when I wanted to check whether or not I had enough entropy to do it safely, I was quite with its very low level:
Indeed, my box had an uptime of more than 10 days, and was not a virtualized server. I would expect something higher. However, I am just running a very simple box, not a highly securized HTTP/SSL/TLS/Mail/whatsoever Server which requires large amount of entropy to make good use of ASLR or keys regeneration. In fact, this amount is quite normal in most common usages. But is it possible to increase it and how?
Well, to start with, there are two sources of entropy on a Linux server: /dev/random and /dev/urandom. Both get their entropy pool from several inputs. But /dev/random blocks when its pool is used up, which is kind of a security, whereas /dev/urandom re-use its pool when more entropy is needed (and the user will use in fact the same pool of data over and over again ):
Some softwares to maintain a high level of entropy
Among a lot of projects, I have found two debian packages to make more entropy available;
- rng-tools which looks like nice, because then entropy gets to amazing evels such as 65535. But settings advice to put in /etc/default/rng-tools:
In other words, entropy gets loaded from /dev/urandom, which lets displayed the same pool. Haven’t I just created a fake entropy generator?
- haveged looks like a bit better. At least, does not use /dev/urandom but /dev/random instead;
1 2 3 4 5 6 7 8 9 10 11 12
- Ubuntu has set up a service named pollinate to provide entropy to boxes which usually lack of, typically Virtual Machines. The problem with most virtual machines, expecially those running very close to their host environment (LXC, thin virtualization) is that they get around the same parameters one another. Which makes keys guessing easier than on a real one, retrieving its random pool from CPU temperature, keyboard, mouse, … The idea is to feed from the network the VMs random pool.