After my previous blog post, you should now be using SSH and Tor all the more often, but things are probably slow when you are trying to setup a secure connection with this method. This may well be due to your computer lacking a proper source of entropy to create secure cryptographic keys. You can check the entropy of your system with the following command.
$ cat /proc/sys/kernel/random/entropy_avail
This will return a number, hopefully it’s above 3,000 because that’s what is likely needed to keep up with your needs. So what do you do if it’s not high enough? This article will cover two tips to improve your computer’s entropy. All examples in this guide are for Linux distributions that use systemd.
rngd is a tool designed to feed the system with more entropy from various sources. It is part of the rng-tools package. After installing it, the rngd service needs to be started and enabled; the following command will do so:
$ systemctl enable rngd.service $ systemctl start rngd.service
The Trusted Platform Module (TPM) has a hardware random generator that can also be used to improve system entropy. If your system has TPM, it will be available for rng to use. Most modern computers come with TPM these days, you can check to see on your system by doing the following command:
$ lsmod |grep tpm
If this returns a result, you can enable rng to use tpm by doing the following:
$ modprobe tpm-rng
For a more permanent solution, do the following:
$ echo "tpm-rng" > /etc/modules-load.d/tpm.conf
Once this is done, find where the location of the configuration file by doing the following:
$ cat /etc/systemd/system/multi-user.target.wants/rngd.service [Unit] Description=Hardware RNG Entropy Gatherer Daemon[Service] EnvironmentFile=/etc/conf.d/rngd ExecStart=/usr/bin/rngd -f $RNGD_OPTS [Install] WantedBy=multi-user.target
With this information, you can now modify the /etc/conf.d/rngd with the following information:
RNGD_OPTS="-o /dev/random -r /dev/hwrng"
Restart rngd.service and check the entropy on your system again. This should make setting up cryptographic keys slightly faster.