Thursday, November 1, 2012

gpg - Not enough random bytes available - Best Solution



After issuing the command
  gpg --gen-key

trying to generate a key pair using gpg I got the message:


Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 280 more bytes)


BEST SOLUTION

After some search on web, I got different procedures, and I began testing them.

The one that really worked successfully was that using rng-tools.
A tutorial to set up rng-tools can be found at:
http://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny

besides being the most practical solution.
The gpg command started working without failures, being stable.

I've create a summary with additional information for the alternative solutions which are described below just in case being useful someway.

Unfortunately, the alternative solutions using  ls / -R  or  find / > /dev/null  and the  --no-use-agent  flag were not always successful.
I've got some success but also failures, using the same environment and procedures. So far, for professional usage I've discarded, but they can be a valuable attempt if you have no rights to install packages on the target environment and need a temporary solution during an emergency.



ALTERNATIVE SOLUTIONS

Go to terminal and check your entropy:
  watch cat /proc/sys/kernel/random/entropy_avail

You're gonna get a real time feedback as an entropy number.
The biggest, the best.
Lower system activity, lower entropy number.

GPG requires high entropy.


Go to a second shell and start the following command:
  ls / -R


Let it running.

Return to the prior terminal - the entropy shall be increasing.

Still let ls command running.


Go to a third terminal to generate the key pair using this command:
   gpg --gen-key --no-use-agent

That's it. Done.
But...


Why the --no-use-agent flag?

Checking man (man gpg), you see:

       --no-use-agent
              Try to use the GnuPG-Agent.  With this option, GnuPG first tries
              to connect to the agent before it asks for a  passphrase.  --no-
              use-agent disables this option.


       --gpg-agent-info
              Override    the    value    of    the    environment    variable
              'GPG_AGENT_INFO'’. This is only used when --use-agent  has  been
              given.   Given  that this option is not anymore used by gpg2, it
              should be avoided if possible.


Probably this issue is already fixed in newer versions.



If you need to generate more entropy, try this:

- using find command by other way:

http://michaelheap.com/not-enough-random-bytes-available-gpg-signing/
- using stress tool from:
http://packages.debian.org/squeeze/stress
  suggested by:
http://stackoverflow.com/questions/12257653/pgp-not-enough-random-bytes-available-please-do-some-other-work-to-give-the-o



If  this procedure still fails, there is also, an interesting procedure using rng-tools at:

https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011


To check you gpg version:
  gpg --version


The information compiled here was based on several posts, among them:

http://avinashpillai.blogspot.com/2011/12/gpg-keygen-not-enough-random-bytes.html
http://stackoverflow.com/questions/11708334/pgp-asymmetric-not-enough-random-bytes-available-please-do-some-other-work-to
http://stackoverflow.com/questions/12257653/pgp-not-enough-random-bytes-available-please-do-some-other-work-to-give-the-o
http://michaelheap.com/not-enough-random-bytes-available-gpg-signing/
https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011

1 comment:

  1. Install the haveged program. It will fill up /dev/random.

    ReplyDelete

JPA entity removal fails silently

>PROBLEM The JPA remove command was silently ignored. There was no delete statement on server's output even though the show_sql was e...