[Bug 706011] Re: gpg --key-gen doesn't have enough entropy and rng-tools install/start fails

Fri Nov 9 16:07:49 UTC 2012

Both parts have some reason.

In one hand, you shouldn't generate any kind of crypto key if you don't
have enough entropy, it defeats the whole purpouse of it.

On the other hand, with all this virtual environments we use today, and
the lack of detail on the message, you feel helpless:

Where is my entropy?
I keep poking keys in my ssh terminal (as mandated by the software) but no entropy is generated
Can I get entropy from another host?
How do I press keys or move a mouse on a virtual machine if there's no hardware to plug a mouse?

Probably everybody needing a quick cert for doing some testing or
authenticating packages locally is getting some headaches with this,
especially if they don't use the same OS on their desktops than on the
servers.

So my proposal is expanding a bit the explanation message when
generating a new key, stating that, if connected remotely or to a
virtual host, they won't get entropy ever pushing keys, and maybe giving
an option or two.

Maybe even a timeout, so if the key is not generated in XX minutes, it
stops and gives some explanation to the user, with a --force-wait option
to avoid this timeout.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/706011

Title:
  gpg --key-gen doesn't have enough entropy and rng-tools install/start
  fails

Status in “gnupg” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: gnupg

  Description:	Ubuntu 10.04.1 LTS
  Release:	10.04

  If you install gpg and then type: gpg --gen-key, it 'freezes up' during the entropy gathering phase.

  ....
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.

  Not enough random bytes available.  Please do some other work to give
  the OS a chance to collect more entropy! (Need 278 more bytes)
  ....
  (freeze here)

  I found some reference on the interwebs suggesting to install rng-
  tools so that the rngd daemon can gather more entropy for the system
  because by default cat /proc/sys/kernel/random/entropy_avail has a
  very very low number.

  Thus, installation of rng-tools, fails to start the rngd daemon...

  Setting up rng-tools (2-unofficial-mt.12-1ubuntu3) ...
  Trying to create /dev/hwrng device inode...
  Starting Hardware RNG entropy gatherer daemon: (failed).
  invoke-rc.d: initscript rng-tools, action "start" failed.

  It is then required to do this: echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools
  and then start rngd: /etc/init.d/rng-tools start

  After this process is done, gpg --gen-key is immediate...

  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  .........+++++
  ...+++++
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  +++++
  .+++++

  And cat /proc/sys/kernel/random/entropy_avail has a much higher
  number.

  All in all, I think this process should be simplified by maybe making
  gpg depend on rng-tools. The whole reason why I need to generate a gpg
  key is because I want to sign the .deb debians that I'm creating for
  my repository.

  Thanks for your time.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011/+subscriptions