Difference between revisions of "Haveged"

From ArchWiki
Jump to: navigation, search
(avoid duplication)
m (showing link anchor makes clear link destination is in the same article (Help:Style#Hypertext metaphor))
 
(26 intermediate revisions by 14 users not shown)
Line 1: Line 1:
[[Category:Security]]
+
[[Category:Encryption]]
The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.[http://www.issihosts.com/haveged/]
+
[[ja:haveged]]
 +
[[zh-CN:Haveged]]
 +
{{Related articles start}}
 +
{{Related|Rng-tools}}
 +
{{Related articles end}}
 +
 
 +
The [http://www.issihosts.com/haveged/ haveged project] is an attempt to provide an easy-to-use, unpredictable [[random number generator]] based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.
 +
 
 +
{{Warning| The quality of the generated entropy is not guaranteed and sometimes contested (see [https://lwn.net/Articles/525459/ LCE: Do not play dice with random numbers] and [http://security.stackexchange.com/questions/34523/is-it-appropriate-to-use-haveged-as-a-source-of-entropy-on-virtual-machines Is it appropriate to use haveged as a source of entropy on virtual machines?]). Use it at your own risk or use it with a hardware based random number generator with the {{pkg|rng-tools}} (see [[#Alternative]] section)}}
 +
 
 +
==Installation==
 +
 
 +
[[Install]] the {{pkg|haveged}} package.
 +
[[Start]] and [[enable]] {{ic|haveged.service}}.
  
 
==List available entropy==
 
==List available entropy==
If you're not sure, whether you need haveged, run:
+
If you are not sure, whether you need haveged, run:
 
  # cat /proc/sys/kernel/random/entropy_avail
 
  # cat /proc/sys/kernel/random/entropy_avail
 
This command shows you how much entropy your server has collected.
 
This command shows you how much entropy your server has collected.
If it is rather low (<1000), you should probably install haveged. Otherwise cryptographic applications will block until there is enough entropy available, which eg. could result in slow wlan speed, if your server is a [[Software Access Point]].
+
If it is rather low (<1000), you should probably install haveged. Otherwise cryptographic applications will block until there is enough entropy available, which eg. could result in slow wlan speed, if your server is a [[Software access point]].
  
 
You should use this command again to verify how much haveged boosted your entropy pool after the installation.
 
You should use this command again to verify how much haveged boosted your entropy pool after the installation.
  
==Installation==
+
==Alternative==
 +
 
 +
Unless you have a specific reason to not trust any hardware random number generator on your system, you should try to use them with the [[rng-tools]] first and if it turns out not to be enough (or if you do not have a hardware random number generator available), then use Haveged.
 +
 
 +
== Virtual machines ==
  
Install the {{pkg|haveged}} package from the [[official repositories]].
+
As discussed at [http://security.stackexchange.com/questions/34523/is-it-appropriate-to-use-haveged-as-a-source-of-entropy-on-virtual-machines Is it appropriate to use haveged as a source of entropy on virtual machines?], it can be contested whether haveged provides quality entropy within a virtual environment. Haveged relies on the rdtsc instruction, which may be virtualized within a virtual machine resulting in lower quantity entropy. On some hypervisors, it is possible to disable the virtualization of rdtsc, which would in theory allow haveged to provide higher quality entropy.
  
==Service==
+
To disable the virtualization of the rdtsc instruction in VMware ESXi, add the setting {{ic|1=monitor_control.virtual_rdtsc = "FALSE"}} to the virtual machine’s .vmx configuration file. VMware recommends the setting for use when performing measurements that require a precise source of real time in the virtual machine.  [http://www.vmware.com/files/pdf/Timekeeping-In-VirtualMachines.pdf]
  
The package provides {{ic|haveged.service}}, see [[systemd]] for details.
+
== See also==
 +
*[http://www.issihosts.com/haveged http://www.issihosts.com/haveged]
 +
*[http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged http://www.digitalocean.com/community/tutorials/how-to-setup-additional-entropy-for-cloud-servers-using-haveged]

Latest revision as of 08:49, 2 September 2016

Related articles

The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.

Warning: The quality of the generated entropy is not guaranteed and sometimes contested (see LCE: Do not play dice with random numbers and Is it appropriate to use haveged as a source of entropy on virtual machines?). Use it at your own risk or use it with a hardware based random number generator with the rng-tools (see #Alternative section)

Installation

Install the haveged package. Start and enable haveged.service.

List available entropy

If you are not sure, whether you need haveged, run:

# cat /proc/sys/kernel/random/entropy_avail

This command shows you how much entropy your server has collected. If it is rather low (<1000), you should probably install haveged. Otherwise cryptographic applications will block until there is enough entropy available, which eg. could result in slow wlan speed, if your server is a Software access point.

You should use this command again to verify how much haveged boosted your entropy pool after the installation.

Alternative

Unless you have a specific reason to not trust any hardware random number generator on your system, you should try to use them with the rng-tools first and if it turns out not to be enough (or if you do not have a hardware random number generator available), then use Haveged.

Virtual machines

As discussed at Is it appropriate to use haveged as a source of entropy on virtual machines?, it can be contested whether haveged provides quality entropy within a virtual environment. Haveged relies on the rdtsc instruction, which may be virtualized within a virtual machine resulting in lower quantity entropy. On some hypervisors, it is possible to disable the virtualization of rdtsc, which would in theory allow haveged to provide higher quality entropy.

To disable the virtualization of the rdtsc instruction in VMware ESXi, add the setting monitor_control.virtual_rdtsc = "FALSE" to the virtual machine’s .vmx configuration file. VMware recommends the setting for use when performing measurements that require a precise source of real time in the virtual machine. [1]

See also