Skip to content

provide minimal cryptographic entropy with haveged

Many cryptographic algorithms rely critically on a source of good random numbers. These numbers are used to generate crypto keys, generate unpredicable TCP sequence numbers, and other things that help keep servers secure.

Servers that offer secure services such as https, imaps, pops, smtp with TLS, ssh, etc. and have lots of connections can often deplete the entropy pool faster than it is refilled. When this happens services using /dev/random will block and introduce delays and services using /dev/urandom will continue to provide numbers, but that are theoretically less secure and potentially at a slower rate.

In virtual environments, entropy can quickly become a problem not only because you may have multiple machines virtualized on one host with a limited amount of entropy available, but also because virtualized hosts are often unable to gather their own entropy effectively, as they have no real “hardware” from which to measure it.

The built-in pool of random data on Linux (/dev/random) is of fixed size (just 4kB) which is limited. If an application tries to read from the pool, and there is not enough data to satisfy its request, the application is blocked until enough entropy has been collected to fill the pool to the point of being able to satisfy the request, leading to delays in the delivery of services. Its possible to use a non-blocking random source (/dev/urandom), but this is considered a poor source of randomness and should not be relied on for strong cryptographic operations.

If you look at the attached graph to this issue, you will see very low entropy for the indicated machine. In fact, the entropy of all LEAP machines that we are monitoring exhibit this low entropy situation. You want the entropy to be about 10x this amount.

The ways you can get entropy filled is by having a hardware entropy generator, or by using the software implementation haveged. Better is if both are used so they can be mixed.

(from redmine: created on 2015-01-21, closed on 2015-01-27)