How to Setup Additional Entropy for Cloud Servers Using Haveged
Brief Introduction to Entropy and Randomness
The Linux pseudo random number generator (PRNG) is a special device that generates randomness from hardware interrupts (keyboard, mouse, disk/network I/O) and other operating system sources. This randomness is used mostly for encryption like SSL/TLS, but also has many other uses. Even something as simple as a program to roll a pair of virtual dice depends on entropy for good quality randomness.
See Digital Ocean for more information.
The following instructions are for Debian based systems and assume your are are using root.
Check your system to see if haveged is already installed.
# [ -n "$(command -v haveged)" ] && echo "Installed" || echo "Not Installed"
Not Installed
If haveged is not installed then go ahead and install.
First run update:
# apt-get update
Install haveged:
# apt-get install haveged
Starting Haveged
# /usr/sbin/haveged -w 1024
Run on Startup
# update-rc.d haveged defaults
On the next reboot haveged will start with the system.
Install rng-tools if needed
Check your system to see if package rng-tools is already installed:
# dpkg -l rng-tools
If not installed the output should look similar to:
# dpkg -l rng-tools
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-========================-=================-=================-=====================================================
un rng-tools <none> <none> (no description available)
If installed the output should look similar to:
# dpkg -l rng-tools
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=================================-=====================-=====================-=====================================
ii rng-tools 2-unofficial-mt.14-1+ amd64 Daemon to use a Hardware TRNG
If you require to install rng-tools
# apt-get update
# apt-get install rng-tools
Note: If you start the service, you will see that it fails:
# systemctl start rng-tools
Add the /dev/urandom path to the rng config file
# echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools
Start the service again
# systemctl start rng-tools
Check the Status
# service rng-tools status
● rng-tools.service
Loaded: loaded (/etc/init.d/rng-tools; generated; vendor preset: enabled)
Active: active (running) since Mon 2018-06-25 10:48:31 EDT; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 4194 ExecStart=/etc/init.d/rng-tools start (code=exited, status=0/SUCCESS)
Tasks: 4 (limit: 19660)
CGroup: /system.slice/rng-tools.service
└─4196 /usr/sbin/rngd -r /dev/urandom
Jun 25 10:48:30 bigbyte systemd[1]: Starting rng-tools.service...
Jun 25 10:48:31 bigbyte rng-tools[4194]: Starting Hardware RNG entropy gatherer daemon: rngd.
Jun 25 10:48:31 bigbyte systemd[1]: Started rng-tools.service.
Jun 25 10:48:31 bigbyte rngd[4196]: rngd 2-unofficial-mt.14 starting up...
Jun 25 10:48:31 bigbyte rngd[4196]: entropy feed to the kernel ready
Testing Availability of Entropy & Quality of Random Data
# cat /dev/random | rngtest -c 1000
Output:
rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 1000
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=2.413; avg=13.646; max=16.629)Mibits/s
rngtest: FIPS tests speed: (min=57.974; avg=73.134; max=79.473)Mibits/s
rngtest: Program run time: 1660174 microseconds
A very small amount of failures is acceptable in any random number generator, but you can expect to see 998-1000 successes very often when using hovered.
To test the amount of available entropy, you can run the following command:
# cat /proc/sys/kernel/random/entropy_avail
The idea of haveged is to fill this pool back up whenever the available bits gets near 1024. So while this number will fluctuate, it shouldn't drop below 1000 or so unless you're really demanding lots of randomness (SSH key generation, etc).
Related
How to Encrypt Files on Linux using GnuPG
HOW TO: Enable rng-tools on Ubuntu VPS Server 16.04 for more "random" data