← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #58371

[Bug 706011] Re: gpg --key-gen doesn't have enough entropy and rng-tools install/start fails

  Thread PreviousDate PreviousThread Next 
Then please do not believe that blog post. Because /dev/urandom is not a
source of entropy and can not be relied upon for any serious business.
It is in a sense a consumer of entropy available from /dev/random, that
does an expansion to provide pseudo random data even when there is no
entropy to produce good random data.

@Jon Stevens:

Crypto should not be messed with. Period. But your frustration is
understandable. Developers do not intend to be hostile to novice users
as you claim, but we have concerns that not all users will not be able
to appreciate. rng-tools has a valid use case, but the workaround
suggested in some comments to use /dev/urandom would scare the crap out
of any cryptographer. I wish it is disallowed altogether.


The most sensible suggestion comes from Alvaro in #25. Why hasn't there been more discussion on this? Security can't be compromised, but a better explanation to users doees no harm. I am skeptic of allowing a flag, it will be suggested as a workaround when it should not be, and users will follow the advice.

Rather, only when being run interactively, the user can be prompted
after a timeout if they want to reduce the key size and/or proceed with
just the available entropy, since it is taking long to collect enough
entropy. This option should be unavailable when being run non-
interactively, since I don't see the need and IMO allowing it does more
damage in the long run.

On a sidenote, rng-tools should atleast spit out a warning when
/dev/urandom is being used as a *HARDWARE* random number generator,
which it is not. Does not prevent anyone from creating a new device node
for urandom and using it, and circulating sequence of commands to be run
to accomplish that, but all user stupidity can not be safeguarded
against.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/706011

Title:
  gpg --key-gen doesn't have enough entropy and rng-tools install/start
  fails

Status in gnupg package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: gnupg

  Description:	Ubuntu 10.04.1 LTS
  Release:	10.04

  
  If you install gpg and then type: gpg --gen-key, it 'freezes up' during the entropy gathering phase.

  ....
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.

  Not enough random bytes available.  Please do some other work to give
  the OS a chance to collect more entropy! (Need 278 more bytes)
  ....
  (freeze here)

  I found some reference on the interwebs suggesting to install rng-
  tools so that the rngd daemon can gather more entropy for the system
  because by default cat /proc/sys/kernel/random/entropy_avail has a
  very very low number.

  Thus, installation of rng-tools, fails to start the rngd daemon...

  Setting up rng-tools (2-unofficial-mt.12-1ubuntu3) ...
  Trying to create /dev/hwrng device inode...
  Starting Hardware RNG entropy gatherer daemon: (failed).
  invoke-rc.d: initscript rng-tools, action "start" failed.

  It is then required to do this: echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools
  and then start rngd: /etc/init.d/rng-tools start

  After this process is done, gpg --gen-key is immediate...

  
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  .........+++++
  ...+++++
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  +++++
  .+++++

  And cat /proc/sys/kernel/random/entropy_avail has a much higher
  number.

  All in all, I think this process should be simplified by maybe making
  gpg depend on rng-tools. The whole reason why I need to generate a gpg
  key is because I want to sign the .deb debians that I'm creating for
  my repository.

  Thanks for your time.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011/+subscriptions
  Thread PreviousDate PreviousThread Next