Increase entropy on a 2.6 kernel linux box
2013-03-15 17:35
806 查看
原文地址:http://www.chrissearle.org/blog/technical/increase_entropy_26_kernel_linux_box
A good source of entropy is needed for random number generation. This affects services that go via SSL amongst other things.
However - in 2.6.x kernels the entropy sources of a system were reduced - as far as I can see it now is only affected by keyboard, mouse and some IRQ interrupts.
Why is this important? Well - there are two
random number sources on linux - /dev/random and /dev/urandom. /dev/random will
block if there is nothing left in the entropy bit bucket. /dev/urandom uses the same bucket - but will not block (it can reuse the pool of bits).
You can see how many bits entropy you have available by looking in /proc/sys/kernel/random/entropy_avail (just cat it like a normal text file).
I had normally between 100 and 200 - way way too low for many SSL processes to work efficiently.
My server has no keyboard and no mouse and I have no idea if the IRQ calls for my network driver pass the required flag to be considered.
So - what to do?
Most suggestions are around hardware generators or listening to ambient noise.
However - I have found that the tools rng-tools that are used for dealing with hardware random number generators can be pressed into a somewhat hacked service by making the system take /dev/urandom (the non-blocking one) as a hardware source to feed the
bucket.
Process for debian etch:
Edit
Set
Run
This immediately gave me an entropy bucket averaging around 2000 and maxing up over 4000.
This has meant that many services that were slow or were timing out are now working.
Note - I make no comment on how secure this is (some dislike the idea of /dev/urandom), or if it is a good idea - all I can say is that I can now use services that were blocking before.
A good source of entropy is needed for random number generation. This affects services that go via SSL amongst other things.
However - in 2.6.x kernels the entropy sources of a system were reduced - as far as I can see it now is only affected by keyboard, mouse and some IRQ interrupts.
Why is this important? Well - there are two
random number sources on linux - /dev/random and /dev/urandom. /dev/random will
block if there is nothing left in the entropy bit bucket. /dev/urandom uses the same bucket - but will not block (it can reuse the pool of bits).
You can see how many bits entropy you have available by looking in /proc/sys/kernel/random/entropy_avail (just cat it like a normal text file).
I had normally between 100 and 200 - way way too low for many SSL processes to work efficiently.
My server has no keyboard and no mouse and I have no idea if the IRQ calls for my network driver pass the required flag to be considered.
So - what to do?
Most suggestions are around hardware generators or listening to ambient noise.
However - I have found that the tools rng-tools that are used for dealing with hardware random number generators can be pressed into a somewhat hacked service by making the system take /dev/urandom (the non-blocking one) as a hardware source to feed the
bucket.
Process for debian etch:
apt-get install rng-tools
Edit
/etc/default/rng-tools
Set
HRNGDEVICE=/dev/urandom
Run
/etc/init.d/rng-tools start
This immediately gave me an entropy bucket averaging around 2000 and maxing up over 4000.
This has meant that many services that were slow or were timing out are now working.
Note - I make no comment on how secure this is (some dislike the idea of /dev/urandom), or if it is a good idea - all I can say is that I can now use services that were blocking before.
相关文章推荐
- 修复VirtualBox "This kernel requires the following features not present on the CPU: pae Unable to boot – please use a kernel appropriate for your CPU"(安装深度Linux的时候就需要)
- Adding a New System Call into the Linux Kernel 2.6
- Notes on Understanding the Linux Kernel
- Linux Memory Mapping--mmap kernel 2.6
- U盘的热拔插/自动挂载跟linux2.6 kernel、 udev、 hal、 dbus 、gnome-mount 、thunar的关系
- the instructuion of ARMLinux kernel Compile
- Compile the latest Kernel(linux-3.1-rc4) On Ubuntu Plateform
- 修复VirtualBox "This kernel requires the following features not present on the CPU: pae Unable to boot
- Compile Linux Kernel on Ubuntu 12.04 LTS
- Installing VirtualBox on a PAE Kernel System
- [Oracle] - Install Oracle12cR1 on Oracle Linux in VirtualBox
- Compile Linux Kernel on Ubuntu 12.04 LTS (Detailed)
- Oracle Database 11g Release 2 RAC On Oracle Linux 5.8 Using VirtualBox
- linux新增system call(for kernel 2.6)
- Tutorial: Debugging Linux Kernel with GDB under VirtualBox
- Debug a NIC driver in linux(kernel version 2.4.20-8) which running on VMware workstation version 4.5.2
- linux新增system call(for kernel 2.6)
- An issue in Linux kernel 2.6 VFP
- Linux 2.6 kernel 中的makefile 中文翻译