2010
07.11

Got Entropy?

Category: Technology / Tags: no tag / Add Comment

Are you highly annoyed that generating GPG keys takes ages? Well the problem is reasonably obvious, you don’t have enough ready to go entropy, so you actually have to generate some while GPG generates the key… While GPG is one of the most common and visible use cases, entropy (randomness) is used for lots of things, particularly in cryptography.

So ideally we always want our entropy pool topped up, sourced from a reliable source of true entropy. Some processors and chipsets have a built-in entropy generator, however there aren’t many yet, so chances are your processor or chipset won’t have a built-in entropy generator. So meet the SimTec EntropyKey.

The nice thing about the entropy key is that all of the supporting software is open source, and it does not require weirdo (vendor) ill-maintained kernel modules. And the best part is that it is quite affordable, I think it cost me about 50EUR including shipping.

If you order one of these USB keys (they really look like a clumsy USB memory stick) and want to setup everything, you need to install the ekeyd package from the Ubuntu (Lucid) repositories, no need for third party packages. The ekeyd package has a nice udev rules included to automatically recognize EntropyKeys and give them human readable device nodes (you do need to reboot or reload udev for this to work):

  /dev/entropykey/M_3lUoWERuOdXDFR -> ../ttyACM0

You’ll note that the EntropyKey actually uses the generic ACM USB serial driver to talk to it’s userland tools. The default configuration file in the ekeyd package automatically recognizes all EntropyKeys setup by udev, so in theory multiple keys should actually work without changing the configuration file.

Now you can use the following commands to setup and initialize the EntropyKey:

  cat /proc/sys/kernel/random/entropy_avail
  432
  # sudo ekeydctl list
  NR,OK,Status,Path,SerialNo
  1,NO,Long-Term-Key is bad,/dev/entropykey/M_3lUoWERuOdXDFR,M/3lUoWERuOdXDFR

So we see that the device is not yet running properly, it still needs it’s Long-Term-Key, which is supplied in an envelope included with the EntropyKey. We tell ekeyd it’s Long-Term-Key like so:

  # sudo ekey-rekey M/3lUoWERuOdXDFR AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

So finally we can check the EntropyKey’s status again:

  # sudo ekeydctl list
  NR,OK,Status,Path,SerialNo
  1,YES,Running OK,/dev/entropykey/M_3lUoWERuOdXDFR,M/3lUoWERuOdXDFR
  cat /proc/sys/kernel/random/entropy_avail
  3968

You’ll note that the available entropy has significantly increased, and the EntropyKey should constantly replenish this pool, making sure you never run out of entropy.

Comments are closed.