How insecure is using /dev/random for entropy generation?
Hauke Laging
mailinglisten at hauke-laging.de
Sun Mar 31 04:46:55 CEST 2013
Am Sa 30.03.2013, 20:50:48 schrieb Anthony Papillion:
> I meed to generate a new key and want to make sure I create enough
> entropy to make the key secure. My normal method is to type on the
> keyboard, start large programs, etc. But a friend suggested that I use
> /dev/random.
gpg uses /dev/random. That's why key generation usually blocks due to lack of
entropy if you do it right and boot a secure medium for key generation.
The kernel fills /dev/random from e.g. key strokes, disk accesses, and (if
available and configured) internal CPU state (havaged) or a real hardware
number generator. The kernel should take care that the entropy in /dev/random
is "perfect".
The amount of available entropy can be seen in
/proc/sys/kernel/random/entropy_avail
To my knowledge it is not possible (without source code change) to make gpg
use another source than /dev/random. But I don't know whether it checks just
the path or the device number... ;-)
Hauke
--
☺
PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04)
http://www.openpgp-schulungen.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130331/a320aecd/attachment.sig>
More information about the Gnupg-users
mailing list