Thursday, 30 June 2011

Rng-Utils and Entropy RHEL6 style

I gave configuring DNSSEC a go last night but I had a bit of a problem. When I ran this command to create the key for my domain zone:
dnssec-keygen -a RSASHA1 -b 1024 -n ZONE domain
This was the result, for a while
Generating key pair.
It seemed to hang there. The problem turns out to be a lack of entropy, which can be checked with this:
cat /proc/sys/kernel/random/entropy_avail
73
It turns out that this is not good enough to generate a key, so the standard advice is to try to compile a kernel or generate some I/O work. Compiling a kernel was really not an option, so I tried to generate some I/O work but to no avail. After a googling for a bit I came across the rng daemon, which will generate a bit of entropy for you.
rngd -r /dev/urandom -o /dev/random -b
Now entropy in the system is:
cat /proc/sys/kernel/random/entropy_avail
3968
Which is enough to generate the key. Note that /dev/urandom is not truly random, as it will use SHA1 to generate random data when the entropy pool has been depleted, see this for a better explanation. However, this is good enough for my test system.

You need to install rng-tools in RHEL6 to use the rng daemon, note that it is no longer rng-utils.

3 comments:

  1. where i get installed the RNG'TOOLS??

    thanks

    BADBOY

    ReplyDelete
    Replies
    1. The package is called rng-tools (rng-tools-2-8.el6.x86_64) and is in the installation DVD.

      Delete
  2. Please note that you might see this error when starting rngd:

    Starting rngd: can't open entropy source(tpm or intel/amd rng)
    Maybe RNG device modules are not loaded

    If that happens, edit /etc/sysconfig/rngd and add the following:

    # Add extra options here
    EXTRAOPTIONS="-r /dev/urandom"

    ReplyDelete