Just a few thoughs I had when it becomes to create entropy

As I was setting up an OpenVPN tunnel, I had to create my certificates and keys. And when I wanted to check whether or not I had enough entropy to do it safely, I was quite with its very low level:

1
2

cat /proc/sys/kernel/random/entropy_avail
133

Indeed, my box had an uptime of more than 10 days, and was not a virtualized server. I would expect something higher. However, I am just running a very simple box, not a highly securized HTTP/SSL/TLS/Mail/whatsoever Server which requires large amount of entropy to make good use of ASLR or keys regeneration. In fact, this amount is quite normal in most common usages. But is it possible to increase it and how?

Well, to start with, there are two sources of entropy on a Linux server: /dev/random and /dev/urandom. Both get their entropy pool from several inputs. But /dev/random blocks when its pool is used up, which is kind of a security, whereas /dev/urandom re-use its pool when more entropy is needed (and the user will use in fact the same pool of data over and over again ):

Some softwares to maintain a high level of entropy

Among a lot of projects, I have found two debian packages to make more entropy available;

• rng-tools which looks like nice, because then entropy gets to amazing evels such as 65535. But settings advice to put in /etc/default/rng-tools:

1
2

HRNGDEVICE=/dev/urandom
RNGDOPTIONS="-W 90% -t 1"

In other words, entropy gets loaded from /dev/urandom, which lets displayed the same pool. Haven’t I just created a fake entropy generator?

• haveged looks like a bit better. At least, does not use /dev/urandom but /dev/random instead;

1
2
3
4
5
6
7
8
9
10
11
12

lsof -a -p `pidof haveged`
COMMAND   PID USER   FD   TYPE     DEVICE SIZE/OFF     NODE NAME
haveged 16214 root  cwd    DIR        8,2     4096        2 /
haveged 16214 root  rtd    DIR        8,2     4096        2 /
haveged 16214 root  txt    REG        8,2    85296  1048878 /usr/sbin/haveged
haveged 16214 root  mem    REG        8,2  1441960   914473 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
haveged 16214 root  mem    REG        8,2   117960   914132 /lib/i386-linux-gnu/ld-2.13.so
haveged 16214 root    0u   CHR        1,3      0t0     3101 /dev/null
haveged 16214 root    1u   CHR        1,3      0t0     3101 /dev/null
haveged 16214 root    2u   CHR        1,3      0t0     3101 /dev/null
haveged 16214 root    3u  unix 0xcb74b700      0t0 22177920 socket
haveged 16214 root    4u   CHR        1,8      0t0       96 /dev/random

• Ubuntu has set up a service named pollinate to provide entropy to boxes which usually lack of, typically Virtual Machines. The problem with most virtual machines, expecially those running very close to their host environment (LXC, thin virtualization) is that they get around the same parameters one another. Which makes keys guessing easier than on a real one, retrieving its random pool from CPU temperature, keyboard, mouse, … The idea is to feed from the network the VMs random pool.