alternative random device

[Richard Laager]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I'm not sure how common this is, but I am using gentoo, which 
> provides a
> /dev/urandom device, which seems to have much better performance
> than /dev/random. I actually had to restart earlier because
> /dev/random stopped working, and gnupg couldn't generate any keys,
> though
> /dev/urandom worked fine.  Is it possible to configure gnupg to use
> /dev/urandom instead of /dev/random?  How? --enable-static-rnd
> doesn't seem to allow specifying the device.  If it current isn't
> possible, I think a configure time option should be added, maybe
> --random-device=. This is all with gnupg-1.2.1

On Linux, /dev/random is a cryptographically secure* random number
generate. (* This means it has properties that make it suitable for
cryptographic operations like key generation that require highly
random and unpredictable numbers.)

/dev/random has one issue: It's blocking. That means that when your
system runs low on entropy (random data), reading from /dev/random
will hang until more entropy is available. This ensures that high
quality random data is provided.

/dev/urandom is non-blocking. When the system runs low on entropy,
the existing data is hashed over and over to provide more random
data.

What does all this mean? There's a theoretical possibility of an
attack against /dev/urandom. As such, there's a theoretical
possibility of an attack against keys generated using data from
/dev/urandom. So, you'll want to stick to /dev/random.

If you're running out of entropy, you can try typing on the keyboard,
using the mouse, generating network traffic, utilizing the disks,
etc.

For more information read the random(4) manual page, which you can
access by running: man 4 random

Richard Laager

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPkaqlW31OrleHxvOEQIiyACePLbrMxaeULlN6Inyouw4QQz5oVQAn3lh
dacu1eWLUmEP4w011K58Qz4O
=zs17
-----END PGP SIGNATURE-----