Have you ever tried to generate an SSL certificate or gpg-key and it pauses, waiting for kernel to gather sufficient entropy in order to sufficiently randomize the encrypted output? You have probably seen a message such as:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Virtual machines tend to not have a lot of entropy, at least not without some help. Entropy in Linux refers to the level of random numbers available from the pseudorandom number generator available to the Linux kernel. VirtIO RNG promises to help with this. Until this becomes ubiquitous, you can use rng-tools to gather entropy inside your virtual machine. In fact, rngd is enabled by default since Fedora 18.

Install the rng-tools package using YUM:

sudo yum install rng-tools

Edit the rng-tools configuration file and configure the kernel device used for random number input. We will use the /dev/urandrom pseudorandom number generator:

sudo perl -p -i -e 's/EXTRAOPTIONS=""/EXTRAOPTIONS="-r \/dev\/urandom"/' /etc/sysconfig/rngd


Start rngd

sudo chkconfig rngd on
sudo service rngd start


Verify available kernel entropy (higher is better)

Before:

cat /proc/sys/kernel/random/entropy_avail 
173

After:

cat /proc/sys/kernel/random/entropy_avail 
4096

That's it.

It is good to have a large amount of entropy when the kernel needs to use random numbers. This is good for security in order to prevent the generation of duplicate keys, for example.

When spinning up virtual machines, it would be a good idea to have rngd start early in the boot process, before generating the SSH host key pairs during first boot.


Comments

comments powered by Disqus