Then please do not believe that blog post. Because /dev/urandom is not a source of entropy and can not be relied upon for any serious business. It is in a sense a consumer of entropy available from /dev/random, that does an expansion to provide pseudo random data even when there is no entropy to produce good random data.
@Jon Stevens: Crypto should not be messed with. Period. But your frustration is understandable. Developers do not intend to be hostile to novice users as you claim, but we have concerns that not all users will not be able to appreciate. rng-tools has a valid use case, but the workaround suggested in some comments to use /dev/urandom would scare the crap out of any cryptographer. I wish it is disallowed altogether. The most sensible suggestion comes from Alvaro in #25. Why hasn't there been more discussion on this? Security can't be compromised, but a better explanation to users doees no harm. I am skeptic of allowing a flag, it will be suggested as a workaround when it should not be, and users will follow the advice. Rather, only when being run interactively, the user can be prompted after a timeout if they want to reduce the key size and/or proceed with just the available entropy, since it is taking long to collect enough entropy. This option should be unavailable when being run non- interactively, since I don't see the need and IMO allowing it does more damage in the long run. On a sidenote, rng-tools should atleast spit out a warning when /dev/urandom is being used as a *HARDWARE* random number generator, which it is not. Does not prevent anyone from creating a new device node for urandom and using it, and circulating sequence of commands to be run to accomplish that, but all user stupidity can not be safeguarded against. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gnupg in Ubuntu. https://bugs.launchpad.net/bugs/706011 Title: gpg --key-gen doesn't have enough entropy and rng-tools install/start fails Status in gnupg package in Ubuntu: Confirmed Bug description: Binary package hint: gnupg Description: Ubuntu 10.04.1 LTS Release: 10.04 If you install gpg and then type: gpg --gen-key, it 'freezes up' during the entropy gathering phase. .... We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 278 more bytes) .... (freeze here) I found some reference on the interwebs suggesting to install rng- tools so that the rngd daemon can gather more entropy for the system because by default cat /proc/sys/kernel/random/entropy_avail has a very very low number. Thus, installation of rng-tools, fails to start the rngd daemon... Setting up rng-tools (2-unofficial-mt.12-1ubuntu3) ... Trying to create /dev/hwrng device inode... Starting Hardware RNG entropy gatherer daemon: (failed). invoke-rc.d: initscript rng-tools, action "start" failed. It is then required to do this: echo "HRNGDEVICE=/dev/urandom" >> /etc/default/rng-tools and then start rngd: /etc/init.d/rng-tools start After this process is done, gpg --gen-key is immediate... We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .........+++++ ...+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++ .+++++ And cat /proc/sys/kernel/random/entropy_avail has a much higher number. All in all, I think this process should be simplified by maybe making gpg depend on rng-tools. The whole reason why I need to generate a gpg key is because I want to sign the .deb debians that I'm creating for my repository. Thanks for your time. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp