Entropy is nothing but the measure of “randomness” in a sequence of bits. The PRNG ( pseudorandom number generator ) is a special device (e.g. /dev/random on Linux) to create randomness from server hardware activities. It uses interrupts generated from the keyboard, hard disk, mouse, network and other sources. The random number generator gathers environmental noise from device drivers and other sources into an entropy pool. The randomness usually used for security purposes like creating TLS/SSL keys and the quality source of random bits is critical. For example, OpenSSL APIs can use quality randomness to make your program cryptographically secure. However, a poor source of randomness could result in loss of security. In this post, I will cover haveged and rng-utils/rng-tools to generate random numbers and feed linux random device for your virtual or dedicated Linux server.
Running out of entropy on server or VMs is common
To see available entropy on Linux, enter:
$ cat /proc/sys/kernel/random/entropy_avail
Sample outputs:
378
It is rather low (anything below =
Does anyone know how to speed up?
openssl dhparam -out dhparams.pem 4096
— nixCraft # (@nixcraft) September 2, 2016
I was suggested to look into the haveged project. The haveged software provides an easy-to-use, unpredictable random number generator based on an adaptation of the HAVEGE algorithm. Another suggested option was to use rng-tools/rng-utils to speed up entropy.
Finding out your current availability of entropy and quality of randomness
You need to use the rngtest command as follows. Install it from rng-tools without starting rng in background:
$ sudo RUNLEVEL=1 apt-get install rng-tools
$ cat /dev/random | rngtest -c 1000
It is going to take forever to run last command due to low quality randomness. Let us see how to install haveged or rng-tools.
Option #1: Install haveged
Linux entropy source using the HAVEGE algorithm and can installed as follows:
Debian/Ubuntu Linux
Type the following apt-get command:
$ sudo apt-get install haveged
Sample outputs:
Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libhavege1 The following NEW packages will be installed: haveged libhavege1 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 49.8 kB of archives. After this operation, 196 kB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://01.archive.ubuntu.com/ubuntu xenial/universe amd64 libhavege1 amd64 1.9.1-3 [21.8 kB] Get:2 http://01.archive.ubuntu.com/ubuntu xenial/universe amd64 haveged amd64 1.9.1-3 [28.0 kB] Fetched 49.8 kB in 0s (58.6 kB/s) Selecting previously unselected package libhavege1:amd64. (Reading database ... 233574 files and directories currently installed.) Preparing to unpack .../libhavege1_1.9.1-3_amd64.deb ... Unpacking libhavege1:amd64 (1.9.1-3) ... Selecting previously unselected package haveged. Preparing to unpack .../haveged_1.9.1-3_amd64.deb ... Unpacking haveged (1.9.1-3) ... Processing triggers for libc-bin (2.23-0ubuntu4) ... Processing triggers for man-db (2.7.5-1) ... Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ... ureadahead will be reprofiled on next reboot Setting up libhavege1:amd64 (1.9.1-3) ... Setting up haveged (1.9.1-3) ... Processing triggers for libc-bin (2.23-0ubuntu4) ... Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ... |
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following additional packages will be installed:
libhavege1
The following NEW packages will be installed:
haveged libhavege1
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 49.8 kB of archives.
After this operation, 196 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://01.archive.ubuntu.com/ubuntu xenial/universe amd64 libhavege1 amd64 1.9.1-3 [21.8 kB]
Get:2 http://01.archive.ubuntu.com/ubuntu xenial/universe amd64 haveged amd64 1.9.1-3 [28.0 kB]
Fetched 49.8 kB in 0s (58.6 kB/s)
Selecting previously unselected package libhavege1:amd64.
(Reading database … 233574 files and directories currently installed.)
Preparing to unpack …/libhavege1_1.9.1-3_amd64.deb …
Unpacking libhavege1:amd64 (1.9.1-3) …
Selecting previously unselected package haveged.
Preparing to unpack …/haveged_1.9.1-3_amd64.deb …
Unpacking haveged (1.9.1-3) …
Processing triggers for libc-bin (2.23-0ubuntu4) …
Processing triggers for man-db (2.7.5-1) …
Processing triggers for systemd (229-4ubuntu12) …
Processing triggers for ureadahead (0.100.0-19) …
ureadahead will be reprofiled on next reboot
Setting up libhavege1:amd64 (1.9.1-3) …
Setting up haveged (1.9.1-3) …
Processing triggers for libc-bin (2.23-0ubuntu4) …
Processing triggers for systemd (229-4ubuntu12) …
Processing triggers for ureadahead (0.100.0-19) …
RHEL/CentOS Linux
First, turn on EPEL repo and type:
$ sudo yum install epel-release
$ sudo yum install haveged
Sample outputs:
Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.excellmedia.net * epel: epel.mirror.angkasa.id * extras: centos.excellmedia.net * updates: centos.excellmedia.net Resolving Dependencies --> Running transaction check ---> Package haveged.x86_64 0:1.9.1-1.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================= Package Arch Version Repository Size ================================================================================= Installing: haveged x86_64 1.9.1-1.el7 epel 61 k Transaction Summary ================================================================================= Install 1 Package Total download size: 61 k Installed size: 181 k Is this ok [y/d/N]: y Downloading packages: warning: /var/cache/yum/x86_64/7/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY Public key for haveged-1.9.1-1.el7.x86_64.rpm is not installed haveged-1.9.1-1.el7.x86_64.rpm | 61 kB 00:00:00 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Importing GPG key 0x352C64E5: Userid : "Fedora EPEL (7) <[email protected]>" Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5 Package : epel-release-7-6.noarch (@extras) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 Is this ok [y/N]: y Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : haveged-1.9.1-1.el7.x86_64 1/1 Verifying : haveged-1.9.1-1.el7.x86_64 1/1 Installed: haveged.x86_64 0:1.9.1-1.el7 Complete! |
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.excellmedia.net
* epel: epel.mirror.angkasa.id
* extras: centos.excellmedia.net
* updates: centos.excellmedia.net
Resolving Dependencies
–> Running transaction check
—> Package haveged.x86_64 0:1.9.1-1.el7 will be installed
–> Finished Dependency ResolutionDependencies Resolved=================================================================================
Package Arch Version Repository Size
=================================================================================
Installing:
haveged x86_64 1.9.1-1.el7 epel 61 kTransaction Summary
=================================================================================
Install 1 PackageTotal download size: 61 k
Installed size: 181 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/haveged-1.9.1-1.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for haveged-1.9.1-1.el7.x86_64.rpm is not installed
haveged-1.9.1-1.el7.x86_64.rpm | 61 kB 00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
Userid : “Fedora EPEL (7) <[email protected]>”
Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
Package : epel-release-7-6.noarch (@extras)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : haveged-1.9.1-1.el7.x86_64 1/1
Verifying : haveged-1.9.1-1.el7.x86_64 1/1Installed:
haveged.x86_64 0:1.9.1-1.el7Complete!
That is all. Test it:
$ cat /proc/sys/kernel/random/entropy_avail
$ cat /dev/random | rngtest -c 1000
$ haveged -n 2g -f - | dd of=/dev/null
Option #2: Install rng-utils/rng-tools
The rngd is hardware RNG entropy gatherer daemon. Type the following yum command on a CentOS/RHEL based system:
$ sudo yum install -y rng-utils
Sample outputs:
Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.excellmedia.net * epel: epel.mirror.angkasa.id * extras: centos.excellmedia.net * updates: centos.excellmedia.net Resolving Dependencies --> Running transaction check ---> Package rng-tools.x86_64 0:5-7.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================= Package Arch Version Repository Size ========================================================================= Installing: rng-tools x86_64 5-7.el7 base 34 k Transaction Summary ========================================================================= Install 1 Package Total download size: 34 k Installed size: 68 k Is this ok [y/d/N]: y Downloading packages: rng-tools-5-7.el7.x86_64.rpm | 34 kB 00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : rng-tools-5-7.el7.x86_64 1/1 Verifying : rng-tools-5-7.el7.x86_64 1/1 Installed: rng-tools.x86_64 0:5-7.el7 Complete! |
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.excellmedia.net
* epel: epel.mirror.angkasa.id
* extras: centos.excellmedia.net
* updates: centos.excellmedia.net
Resolving Dependencies
–> Running transaction check
—> Package rng-tools.x86_64 0:5-7.el7 will be installed
–> Finished Dependency ResolutionDependencies Resolved=========================================================================
Package Arch Version Repository Size
=========================================================================
Installing:
rng-tools x86_64 5-7.el7 base 34 kTransaction Summary
=========================================================================
Install 1 PackageTotal download size: 34 k
Installed size: 68 k
Is this ok [y/d/N]: y
Downloading packages:
rng-tools-5-7.el7.x86_64.rpm | 34 kB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : rng-tools-5-7.el7.x86_64 1/1
Verifying : rng-tools-5-7.el7.x86_64 1/1Installed:
rng-tools.x86_64 0:5-7.el7Complete!
Debian / Ubuntu Linux users type the following apt-get command:
$ sudo apt-get install rng-tools
Sample outputs:
[sudo] password for vivek: Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: rng-tools 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 21.9 kB of archives. After this operation, 139 kB of additional disk space will be used. Get:1 http://01.archive.ubuntu.com/ubuntu xenial/universe amd64 rng-tools amd64 5-0ubuntu3 [21.9 kB] Fetched 21.9 kB in 0s (34.3 kB/s) Selecting previously unselected package rng-tools. (Reading database ... 233574 files and directories currently installed.) Preparing to unpack .../rng-tools_5-0ubuntu3_amd64.deb ... Unpacking rng-tools (5-0ubuntu3) ... Processing triggers for man-db (2.7.5-1) ... Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ... ureadahead will be reprofiled on next reboot Setting up rng-tools (5-0ubuntu3) ... Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ... |
[sudo] password for vivek:
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following NEW packages will be installed:
rng-tools
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 21.9 kB of archives.
After this operation, 139 kB of additional disk space will be used.
Get:1 http://01.archive.ubuntu.com/ubuntu xenial/universe amd64 rng-tools amd64 5-0ubuntu3 [21.9 kB]
Fetched 21.9 kB in 0s (34.3 kB/s)
Selecting previously unselected package rng-tools.
(Reading database … 233574 files and directories currently installed.)
Preparing to unpack …/rng-tools_5-0ubuntu3_amd64.deb …
Unpacking rng-tools (5-0ubuntu3) …
Processing triggers for man-db (2.7.5-1) …
Processing triggers for systemd (229-4ubuntu12) …
Processing triggers for ureadahead (0.100.0-19) …
ureadahead will be reprofiled on next reboot
Setting up rng-tools (5-0ubuntu3) …
Processing triggers for systemd (229-4ubuntu12) …
Processing triggers for ureadahead (0.100.0-19) …
That is all. Test it:
$ cat /proc/sys/kernel/random/entropy_avail
$ cat /dev/random | rngtest -c 1000
Fig.01: Testing availability of entropy & quality of randomness on Linux
Examples
To generate a strong DH group or GPG keys using CLI, run:
Now you should see speed up while using the following commands. To use perfect forward secrecy cipher suites, you must set up Diffie-Hellman parameters on the server side:
$ openssl dhparam -out dhparams.pem 2048
OR
$ openssl dhparam -out dhparams.pem 4096
OR
$ openssl dhparam -out dhparams.pem -dsaparam 4096
Type the following command to generates a key pair that consists of a public and a private key, execute:
$ gpg2 --gen-key
To generate a /root/keyfile for disk encryption with LUKS, enter:
$ sudo haveged -n 2048 -f /root/keyfile
To generate random ASCII passwords of the length 16 characters, run:
$ (haveged -n 1000 -f - 2>/dev/null | tr -cd '[:graph:]' | fold -w 16 && echo ) | head -1
To test the randomness of the generated data with dieharder test suite (use ‘apt-get install dieharder‘ to use dieharder on Debian/Ubuntu Linux):
$ haveged -n 0 | dieharder -g 200 -a
Sample outputs:
Writing unlimited bytes to stdout
#=============================================================================#
# dieharder version 3.31.1 Copyright 2003 Robert G. Brown #
#=============================================================================#
rng_name |rands/second| Seed |
stdin_input_raw| 2.22e+07 |2467094284|
#=============================================================================#
test_name |ntup| tsamples |psamples| p-value |Assessment
#=============================================================================#
diehard_birthdays| 0| 100| 100|0.57766651| PASSED
diehard_operm5| 0| 1000000| 100|0.18806468| PASSED
diehard_rank_32x32| 0| 40000| 100|0.94961511| PASSED
diehard_rank_6x8| 0| 100000| 100|0.89699673| PASSED
diehard_bitstream| 0| 2097152| 100|0.01373793| PASSED
diehard_opso| 0| 2097152| 100|0.33382051| PASSED
diehard_oqso| 0| 2097152| 100|0.59662327| PASSED
diehard_dna| 0| 2097152| 100|0.18392060| PASSED
diehard_count_1s_str| 0| 256000| 100|0.35838284| PASSED
diehard_count_1s_byt| 0| 256000| 100|0.93169702| PASSED
diehard_parking_lot| 0| 12000| 100|0.25432384| PASSED
diehard_2dsphere| 2| 8000| 100|0.19976795| PASSED
diehard_3dsphere| 3| 4000| 100|0.72109364| PASSED
diehard_squeeze| 0| 100000| 100|0.70961203| PASSED
...
..
....
A note about ChaosKey
There is a hardware based True Random Number Generator that attaches via USB:
Chaoskey v 3.0