[Bug 706011] Re: gpg --key-gen doesn't have enough entropy and rng-tools install/start fails

Steven Ayre 706011 at bugs.launchpad.net
Mon Oct 29 18:26:51 UTC 2012 

@taligent

"something wrong with the way entropy is captured for REMOTE sessions."

There's only a single way to generate entropy, and it's the same whether
you're running gpg locally or remotely. It must come from an external
source (eg keyboard/mouse/disk). Anything triggered by the machine
itself is predictable due to the schedulers, it must come from user/disk
activity instead.

The only issue with generating it remotely is that it's harder to
generate external entropy when you do not have physical access to the
machine. Local keyboard/mouse input provides more noise than anything
you can easily generate remotely.

The find everything piped into cat trick in another session should be sufficient on most systems. If it is all cached this would allow you generate disk access bypassing the cache:
  dd if=/path/to/large/file of=/dev/null iflag=direct

Personally I would suggest that you generate GPG keys *locally* where
it's possible to generate plenty of entropy since you have
keyboard/mouse access, then transfer the keys to the remote server(s)
where it's required.

Yes, perhaps the message could be improved with advice targeted at
remote users and a progress indicator if the kernel allows it, but that
does not describe the original poster's report and might be better with
this bug closed and that suggestion raised as a separate bug.

Otherwise it may be dangerous for people Googling this issue to find
this bug and follow the original posters advice without reading any
further.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/706011

Title:
  gpg --key-gen doesn't have enough entropy and rng-tools install/start
  fails

Status in “gnupg” package in Ubuntu:
  New

Bug description:
  Binary package hint: gnupg

  Description:	Ubuntu 10.04.1 LTS
  Release:	10.04

  
  If you install gpg and then type: gpg --gen-key, it 'freezes up' during the entropy gathering phase.

  ....
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.

  Not enough random bytes available.  Please do some other work to give
  the OS a chance to collect more entropy! (Need 278 more bytes)
  ....
  (freeze here)

  I found some reference on the interwebs suggesting to install rng-
  tools so that the rngd daemon can gather more entropy for the system
  because by default cat /proc/sys/kernel/random/entropy_avail has a
  very very low number.

  Thus, installation of rng-tools, fails to start the rngd daemon...

  Setting up rng-tools (2-unofficial-mt.12-1ubuntu3) ...
  Trying to create /dev/hwrng device inode...
  Starting Hardware RNG entropy gatherer daemon: (failed).
  invoke-rc.d: initscript rng-tools, action "start" failed.

  It is then required to do this: echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools
  and then start rngd: /etc/init.d/rng-tools start

  After this process is done, gpg --gen-key is immediate...

  
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  .........+++++
  ...+++++
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  +++++
  .+++++

  And cat /proc/sys/kernel/random/entropy_avail has a much higher
  number.

  All in all, I think this process should be simplified by maybe making
  gpg depend on rng-tools. The whole reason why I need to generate a gpg
  key is because I want to sign the .deb debians that I'm creating for
  my repository.

  Thanks for your time.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011/+subscriptions

More information about the foundations-bugs mailing list