[Bug 706011] Re: gpg --key-gen doesn't have enough entropy and rng-tools install/start fails

Rookcifer rookcifer at gmail.com
Wed Apr 25 23:31:19 UTC 2012 

@ Jon Stevens

So if we care about security we are stupid?  This isn't just some random
security issue in code that are a dime a dozen.  If we implemented what
you suggested we would be breaking the entire web of trust of people who
use Ubuntu to generate GPG keys.  We would literally be making the whole
GPG system completely insecure for hundreds of thousands if not
*millions* of people.  Ubuntu would become a laughing-stock on all the
big tech websites.  Blogs world wide would be saying "Ubuntu generates
insecure GPG keys."  I can see the headlines now.

 Whoever runs this bug list should *never* have made this a valid big in
the first place.  Luckily they have since made it invalid.  Now they
need to close it for good.

And if you are developing or packaging, why are you not doing it on a
local machine?  Why are you doing it on some random VM remotely?
Besides, I gave you a good solution already.  Run this in the terminal
on your VM:

sudo apt-get install haveged

That is an entropy generator that will keep the entropy pool full at all
times.  You should be able to generate your keys in seconds.  Even
though it might not be as secure as using /dev/random directly, it is
probably good enough for your needs, and certainly much faster.  If you
want a fast solution, fine.  But don't ask Ubuntu to break our security
for your one weird corner case.

Lesson to be learned:  Unless you are a cryptographer or someone *very*
experienced in crypto coding, do not *ever* mess around with crypto code
or suggest people change it because of something you don't understand.
Debian learned this lesson the hard way several years ago.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/706011

Title:
  gpg --key-gen doesn't have enough entropy and rng-tools install/start
  fails

Status in “gnupg” package in Ubuntu:
  Invalid

Bug description:
  Binary package hint: gnupg

  Description:	Ubuntu 10.04.1 LTS
  Release:	10.04

  
  If you install gpg and then type: gpg --gen-key, it 'freezes up' during the entropy gathering phase.

  ....
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.

  Not enough random bytes available.  Please do some other work to give
  the OS a chance to collect more entropy! (Need 278 more bytes)
  ....
  (freeze here)

  I found some reference on the interwebs suggesting to install rng-
  tools so that the rngd daemon can gather more entropy for the system
  because by default cat /proc/sys/kernel/random/entropy_avail has a
  very very low number.

  Thus, installation of rng-tools, fails to start the rngd daemon...

  Setting up rng-tools (2-unofficial-mt.12-1ubuntu3) ...
  Trying to create /dev/hwrng device inode...
  Starting Hardware RNG entropy gatherer daemon: (failed).
  invoke-rc.d: initscript rng-tools, action "start" failed.

  It is then required to do this: echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools
  and then start rngd: /etc/init.d/rng-tools start

  After this process is done, gpg --gen-key is immediate...

  
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  .........+++++
  ...+++++
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  +++++
  .+++++

  And cat /proc/sys/kernel/random/entropy_avail has a much higher
  number.

  All in all, I think this process should be simplified by maybe making
  gpg depend on rng-tools. The whole reason why I need to generate a gpg
  key is because I want to sign the .deb debians that I'm creating for
  my repository.

  Thanks for your time.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011/+subscriptions

More information about the foundations-bugs mailing list