You are not logged in.
- Topics: Active | Unanswered
#1 Yesterday 15:13:37
- Altoid
- Member
- Registered: 2017-05-07
- Posts: 1,902
[SOLVED] Haveged and available entropy
Hello:
Disclaimer:
Reason for asking = a good deal (if not all) of this is over my head.
Not being sure about what to do about Excalibur, I have been having a look at various things related to security.
Yesterday I remembered haveged, checked that it was running and, recalling that I had set it a few years ago, checked the available entropy.
Turns out that it returned a value of 256.
But I recalled having changed it to a higher value (1024?) as suggested in various web pages.
A look at /etc/default/haveged revealed the present setting:
$ cat /etc/default/haveged
# Configuration file for haveged
# Options to pass to haveged:
# DAEMON_ARGS=" "
$ I checked the haveged service was running and the available entropy setting and poolsize:
$ cat /proc/sys/kernel/random/entropy_avail
256
$$ cat /proc/sys/kernel/random/poolsize
256
$ But that was not what I recalled having set as per the recommendations at that time.
So I looked up web pages I had bookmarked and edited the file, uncommenting the setting and editing it to what I remembered (?).
$ cat /etc/default/haveged
# Configuration file for haveged
# Options to pass to haveged:
DAEMON_ARGS="-w 1024"
$ That would give me a value over 1000 which was the accepted minimum value at the time I set it up.
Then I stopped / restarted the service, checked that it was running and the available entropy setting and poolsize:
$ cat /proc/sys/kernel/random/entropy_avail
256
$$ cat /proc/sys/kernel/random/poolsize
256
$ What was going on?
TL;DR
I seems that as of kernel 5.10.119, the value of 256 bytes has been hardcoded.
See this link:
https://unix.stackexchange.com/questions/704737
TL;DR:
As long as your computer doesn't suffer from not enough entropy ever, you're generating secure numbers.
Even just 256 entropy once before starting to get random numbers, and then 0 for the rest of the lifetime of your system would be OK!
Having 256 at any time is way more than ever necessary.
Right ...
Like I said at the start of this post, all this is over my head, reason why I am asking about it.
I do know that entropy is important, more in servers that desktops, but still important.
The "As long as your computer doesn't ... " bit does not mean much to me, more so in the context of all that is going on with Linux these past few years.
And yes, the "... 256 at any time is way more than ever necessary." bit did bring a smile to my face.
That said, I'd appreciate the opinion of those members who actually understand / have a grip on this stuff.
Best,
A.
Last edited by Altoid (Yesterday 15:16:31)
Offline
#2 Yesterday 17:20:55
- GNUser
- Member
- Registered: 2017-03-16
- Posts: 577
Re: [SOLVED] Haveged and available entropy
A haveged-inspired, entropy-generating algorithm has been part of the linux kernel since version 5.4, making haveged largely obsolete. There are only a few situations in which the haveged service may be useful, which are listed in the first link below.
References:
https://github.com/jirka-h/haveged/blob … /README.md
https://dev1galaxy.org/viewtopic.php?pid=48879#p48879
Offline
#3 Yesterday 18:27:59
- g4sra
- Member
- Registered: 2018-12-12
- Posts: 90
Re: [SOLVED] Haveged and available entropy
I have removed haveged from several Devuan systems with no ill effects.
Haveged was made default in the Debian Distro to overcome performance issues after a change to systemd using random to create unique ids.
There was a bug report somewhere if anybody cares to follow up and search for it, of course systemd was not at any point at fault.
Despite having restricted resources (cpu,memory) havaged was even carried forward onto the Raspberry Pi which has a 'real' number generator and therefore can never run out of random numbers.
NB. for real randomness security use a Pi, not your £2K workstation.
Offline
#4 Yesterday 20:25:50
- Altoid
- Member
- Registered: 2017-05-07
- Posts: 1,902
Re: [SOLVED] Haveged and available entropy
Hello:
... part of the linux kernel since version 5.4, making haveged largely obsolete.
Yes, I came across that after posting my question.
... few situations in which the haveged service may be useful ...
Yes, here the author makes a case of sorts:
... it's still useful. It can provide entropy early in the boot when /dev/random is not fully utilized.
On a fully booted system, it can be still used as an additional entropy source. It will insert entropy into the kernel every 60 seconds, thus diversifying your entropy sources.
The " ... diversifying your entropy sources." bit sounds good. Might as well keep it running.
... for real randomness security use a Pi, not your £2K workstation.
Indeed ... 8^D
I could have never paid £2K for a workstation but I am quite sure that you are right, a Pi would work great.
That said, I think that what I need (like most desktop users) is the best randomness available without much ado or expense.
Can't find the post now, but it seems that haveged is not at all expensive to run so my guess is that between the kernel and the haveged service running, I may be properly covered, at least randomness-wise.
Time will tell.
Thank you both for your input.
Much obliged.
Best,
A.
Offline
