Entropy, linux, and haveged

First lets define entropy for the non geeky.

“A thermodynamic quantity representing the unavailability of a system’s thermal energy for conversion into mechanical work, often interpreted as the degree of disorder or randomness in the system.”

If you’re thinking “What?” you’re not alone. Simply put, entropy in *nix is randomness collected by the operating system or application for processes that require random data. For example the apache module mod_ssl uses entropy to secure sessions between the webserver its users.

Here is where it gets interesting, a *nix operating system generates entropy by using keyboard timings, mouse movements, and IDE timings. That’s fine for a desktop, but if your box is a server, generally you don’t have/require physical access. So that eliminates the ability to pull information from the keyboard and mouse, limiting your system to one device to generate random data. Without these devices random data generation is slow, and many times can’t keep up with demand. The random *nix device is typically /dev/random, when exhausted will halt a program until it generates enough random data to fulfill the request.

A few solutions exist, one solution is to create IDE activity by reading data to /dev/null. Another solution is the creation of a psuedo-random pool, /dev/urandom, via the rng-tools package. This psuedo-device will not stop generating random data, while it will use /dev/random until it is exhausted, it will continue to generate random data using the last seed available, thus the psuedo-random device is more specifically for the generation of random data where security is not an issue. A hardware solution can be purchased that will seed random data from a microphone like random.org, the detection of ambient radiation, or stray electrons like this USB device. The last solution is to use a system process that seeds entropy from the indirect effects of hardware events on hidden processor states. (i.e. caches, branch predictors, memory translation tables, etc) This daemon available to Scientific Linux and Centos users via the epel repo is known as the HAVEGE (HArdware Volatile Entropy Gathering and Expansion) algorithm.

If you want to see how much entropy you have available run:

cat /proc/sys/kernel/random/entropy_avail

My system’s entropy floated around 120-150 bytes before havaged and filled up instantly after. Now if you are security conscious you will want to evaluate the results or more appropriately use a hardware generator.