I don't know if it's related but:

openssl dhparam -out dhparam.pem 4096

was taking forever on amazon and was certainly faster on bitfolk.

Worth to check with/without entropy generators.

On Fri, Mar 18, 2016 at 1:46 PM, Andy Smith <andy@bitfolk.com> wrote:
Hi Robert,

On Fri, Mar 18, 2016 at 05:37:22PM +0000, Robert Gauld wrote:
> I wrote a simple script to log available entropy every 10 seconds and ran
> it for 36 hours. I had a maximum of 2043 and a minimum of 132, the graph
> being quite erratic.
> I suppose the question really is what's a sensible minimum level to be
> happy?

Not really; a key argument of the article
(http://www.2uo.de/myths-about-urandom/) is that measurements of
available entropy are meaningless, because (a) there is really no way to
know, and (b) the CSPRNG behind /dev/urandom can always provide you
more and you should be using that.

*Anything* that is reading from /dev/random is a concern because it
could potentially block.

So far it seems we are not finding anything now that uses
/dev/random, although I suspect that gpg may well still do so when
generating a new key. I haven't tested that yet.

It's looking like the entropy service wiki article at the very least
needs rewriting to stress:

- urandom is good enough; try to make your software use that

- don't configure this just because you measure a low entropy pool,
  do check exactly what software is blocking on /dev/random

- let us know what software that is


http://bitfolk.com/ -- No-nonsense VPS hosting

Version: GnuPG v1.4.10 (GNU/Linux)


users mailing list