[Bug 706011] Re: gpg --key-gen doesn't have enough entropy and rng-tools install/start fails

JoePete ubuntu at joepete.com
Thu Mar 8 14:49:19 UTC 2012 

Just a simple: 
$find / > /dev/null 

I think this might do the trick.

Just to add three cents to the question of entropy vs. bug, bear in mind
here that whatever goes into generating that key is as strong as its
weakest link. Someone might go to a great deal of effort to generate the
key pair in question but eventually it will reside on a filesystem whose
controls likely do not rely on such a high degree of entropy. To
analogize, the safe in your home may be protected by an unguessable
combination, but since it is so complex, so entropic, it must be
recorded somewhere. So the thief doesn't try to guess the unguessable;
he simply seeks the place in which the key has been recorded. And while
that key may be protected with its own combination, it intrinsically has
to be one easily remembered (and that means easily guessed).

I do lean toward identifying this as a bug as there are ways of a system
generating the necessary entropy for the keys. These typically are more
or in addition to the guidance of moving the cursor or typing random
keys. One should remember as well that not all users have a mouse,
keyboard or or full (or any) use of hands and fingers for that matter.
Hence, sound development practices would seek out such routines rather
than simply ask the user to do something random - after all if the user
were truly random we wouldn't need key-pair generation to begin with ;-)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/706011

Title:
  gpg --key-gen doesn't have enough entropy and rng-tools install/start
  fails

Status in “gnupg” package in Ubuntu:
  Invalid

Bug description:
  Binary package hint: gnupg

  Description:	Ubuntu 10.04.1 LTS
  Release:	10.04

  
  If you install gpg and then type: gpg --gen-key, it 'freezes up' during the entropy gathering phase.

  ....
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.

  Not enough random bytes available.  Please do some other work to give
  the OS a chance to collect more entropy! (Need 278 more bytes)
  ....
  (freeze here)

  I found some reference on the interwebs suggesting to install rng-
  tools so that the rngd daemon can gather more entropy for the system
  because by default cat /proc/sys/kernel/random/entropy_avail has a
  very very low number.

  Thus, installation of rng-tools, fails to start the rngd daemon...

  Setting up rng-tools (2-unofficial-mt.12-1ubuntu3) ...
  Trying to create /dev/hwrng device inode...
  Starting Hardware RNG entropy gatherer daemon: (failed).
  invoke-rc.d: initscript rng-tools, action "start" failed.

  It is then required to do this: echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools
  and then start rngd: /etc/init.d/rng-tools start

  After this process is done, gpg --gen-key is immediate...

  
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  .........+++++
  ...+++++
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  +++++
  .+++++

  And cat /proc/sys/kernel/random/entropy_avail has a much higher
  number.

  All in all, I think this process should be simplified by maybe making
  gpg depend on rng-tools. The whole reason why I need to generate a gpg
  key is because I want to sign the .deb debians that I'm creating for
  my repository.

  Thanks for your time.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011/+subscriptions

More information about the foundations-bugs mailing list