Helping The Random Number Generator To Gain Enough Entropy With rng-tools (Debian Lenny)

Version 1.0
Author: Falko Timme
Follow me on Twitter

You might know this situation: you want to generate a GPG or SSL key, and during that operation, your system tells you that no more random bytes are available and that it needs to collect more entropy, and you are stuck. This short guide tells you how to solve this problem with the package rng-tools on Debian Lenny.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

Let's assume you want to generate a GPG key:

gpg --gen-key

If you are unlucky, the command might stop in the middle with a message like this:

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)

So we have to increase entropy somehow. This can be done with rng-tools, a package to use a hardware true number generator (TRNG). Don't worry, you don't need any extra hardware, we will use /dev/urandom as our true number generator.

2 Installing And Configuring rng-tools

The rng-tools package can be installed as follows:

apt-get install rng-tools

Next open /etc/default/rng-tools...

vi /etc/default/rng-tools

... and add the line HRNGDEVICE=/dev/urandom:

# Configuration for the rng-tools initscript
# $Id: rng-tools.default,v 1.1.2.5 2008-06-10 19:51:37 hmh Exp $

# This is a POSIX shell fragment

# Set to the input source for random data, leave undefined
# for the initscript to attempt auto-detection.  Set to /dev/null
# for the viapadlock driver.
#HRNGDEVICE=/dev/hwrng
#HRNGDEVICE=/dev/null
HRNGDEVICE=/dev/urandom

# Additional options to send to rngd. See the rngd(8) manpage for
# more information.  Do not specify -r/--rng-device here, use
# HRNGDEVICE for that instead.
#RNGDOPTIONS="--hrng=intelfwh --fill-watermark=90% --feed-interval=1"
#RNGDOPTIONS="--hrng=viakernel --fill-watermark=90% --feed-interval=1"
#RNGDOPTIONS="--hrng=viapadlock --fill-watermark=90% --feed-interval=1"

Now start the rng-tools daemon:

/etc/init.d/rng-tools start

That's it! Now try to generate your key again, e.g.

gpg --gen-key

... and it should finish successfully:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.++++++++++++++++++++..+++++++++++++++++++++++++++++++++++++++++++++++++++++++.+++++
.+++++..+++++.+++++++++++++++++++++++++++++++++++++++++++++.....>.+++++<+++++.....
...>+++++................................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.++++++++++..++++++++++...++++++++++...+++++.+++++..+++++.+++++..+++++++++++++++.+++
++++++++++++..+++++++++++++++..++++++++++..+++++++++++++++++++++++++...+++++..+++++>+++
+++++++>.+++++>+++++......................+++++^^^
gpg: key 1F6C9247 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   1024D/1F6C9247 2010-12-06
      Key fingerprint = FC81 D8E3 8090 EEE3 1D98  E000 045C D80E 1F6C 9247
uid                  Falko Timme <[email protected]>
sub   2048g/12D6A5B0 2010-12-06

server1:~#

3 Links

Debian: http://www.debian.org/

Log in or Sign up

On this page