Generate entropy for PGP key

linux cryptography pgp

Solution 1:

Getting data out of /dev/random or /dev/urandom is definitely not going to help, all it will do is deplete your entropy pool, making the issue even worse. The main difference between these two files is that even when the kernel runs out of entropy urandom will keep generating random data of lesser quality, while random will block until it can gather fresh high-quality random data. PGP requires the highest possible random data to generate secure keys, so it will always use /dev/random.

If you have good random data around, or export some from another server's /dev/random, you can cat it into your server's /dev/random to get more entropy. You should never cat the same file twice into /dev/random though.

If you often find yourself running out of entropy you can also consider installing something like haveged, a daemon that re-generate entropy in the background and re-fill /dev/random as needed.

Also it can be tempting to symlink /dev/random to /dev/urandom, but this should be considered a security risk as any key generated using it may be less secure than they should. While it may help for one less critical applications, you have to consider every other possible use of /dev/random, including other users generating their own keys, CSR, etc.

Solution 2:

You can use haveged.

haveged is a daemon that generate entropy when needed.

Solution 3:

I would recommend to generate your gpg keys on your local machine which will have much better randomness than the remote one. And then migrate the keys using SSH to your remote machine.

Generating locally will be faster (more source for entropy), more secure (no one can spy on the process if your machine is not infected, better randomness).

If you still want to generate those remotely: On Linux you can generate more entropy by simply pinging a host (e.g. ping 8.8.8.8) if you own another network host try to have pings every 100ms (if your RTT is <100ms of course ). And/or use find to look for files on your hard disk and flush the RAM cache between each file search.

You could also installed haveged but read the limitations if you are running it in a virtual environment: https://wiki.archlinux.org/index.php/Haveged#Virtual_machines

Solution 4:

On Debian based systems, you can install the rng-tools package using atp-get, and then start the daemon to generate entropy:

echo HRNGDEVICE=/dev/urandom >> /etc/default/rng-tools && service rng-tools restart

On CentOS-6 servers, the rng daemon is installed as one of the base tools (at least on most systems I've worked on it is), and you can run the following command to start it, in order to generate entropy:

sed -i \'s|EXTRAOPTIONS=\"\"|EXTRAOPTIONS=\"-r /dev/urandom\"|g\' /etc/sysconfig/rngd && service rngd restart

Solution 5:

sudo yum install haveged && sudo systemctl start haveged

definitely works on a CentOS 7.2 VM. Sometimes you want to create GPG keys on a vm if you're creating a bunch and want your keyring intact.

Related

How do you interview a Database Programmer/ Admin applicant?
Do routers have IP Addresses?
ImageMagick's `convert` utility takes *too much* memory with PDF input
Virtualbox, how to force a specific CPU to the guest
Unauthorised Bluetooth device keeps connecting to Mac
Can you use the Windows + D shortcut for one monitor only?
FFMPEG mkv to mp4 conversion loses subtitles
How do you find out a laptop screen panel manufacturer / model with Linux? (Samsung, LG, Chi Mei, etc)
How to copy a btrfs filesystem
Explain the output of ICACLS.EXE, line by line, item by item
Binary diff/patch for large files on linux?
Transpose column to row