Increase random entropy pool in Debian sid
Hopefully this will be a short post. I saw some folks in IRC (one of the many #debian channels I’m connected to) chatting about /dev/urandom and /dev/random, and increasing its available entropy pool. This entropy pool is where all the random numbers generated by a Linux system come from. The higher the entropy pool value, the more truly random the pseudorandom number generator (PRNG) like /dev/random and /dev/urandom can be. This has a specific impact on computer cryptography: if your random number pool is low on entropy, its sequence of random numbers can be guessed relatively easily. I found this Wikipedia article which briefly describes the technology on various operating systems.
The operating system file (well, in the /proc pseudo-filesystem) which displays how much entropy my system currently has is /proc/sys/kernel/random/entropy_avail. It will change over time; to watch it change I used this command:
watch -n 1 cat /proc/sys/kernel/random/entropy_avail
This showed my entropy fluctuating between 100 and 200, which is pretty low and not very useful (or secure). I did some research to try and discover a way to increase this entropy pool. Probably the best option is a hardware random number generator (HRNG), maybe sometimes called a true random number generator (TRNG). These cost money, money I don’t have for spending. I found randomsound, but running it did not appear to affect my entropy one way or the other (probably because on my home machine I don’t have a mic). I found this blog post, but it initially suggests a questionable method to increase entropy. Its update, quietly hidden at the top of the post, gives the solution I came upon.
The solution was to use haveged. This uses nondeterministic optimizations available in modern CPU hardware as its random source. When I ran it with the default options, my entropy pool shot up to between 1024 and 4096. Much improved. In a post further on down on Chris’s blog, someone suggested using the /proc/sys/kernel/random/poolsize as the lower threshold, with the -w option. Debian provides an /etc/default/haveged file where you can place these options:
DAEMON_ARGS="-w $(cat /proc/sys/kernel/random/poolsize)"
Currently, poolsize is set to 4096. Should a new kernel from the Debian team set this pool to be different, haveged will automatically be set to whatever value it is. I have successfully set this on my main workstation machines at work and at home. I will set this on my laptop and my VPS systems, and see how it goes.
UPDATE: All but one of my VPS systems was able to use haveged. The one outlier was because it’s on an OpenVZ VM system, and I don’t have access to those particular parts of the kernel (even as root). I have relegated that VPS to being just a toy, since I can’t really use it for much else. I will probably cancel my subscription to that altogether. We’ll have to see about that.