The document details the process of creating entropy using the Intel rdrand instruction set built into certain Intel CPUs.
Entropy is the randomness of the data that is used when an application or operating system uses cryptography. An example would be SSL connections to your web server.
Verify CPU Supports the rdrand Instruction
In this section we will verify that the CPU supports the rdrand instruction.
Step 1 – First cat
the /proc/cpuinfo
to verify that the CPU supports the rdrand instruction.
1 2 |
cat /proc/cpuinfo | grep -i rdrand | echo $? |
The result should be 0
if your CPU supports the rdrand instruction.
Check Current Entropy Value
In this section we will verify the current entropy value.
Step 1 – Check the current entropy value by using cat
to view /proc/sys/kernel/random/entropy_avail
1 2 |
cat /proc/sys/kernel/random/entropy_avail |
The result should be between 3000 – 3200.
Add kernel Entries to sysctl.conf File
In this section we will add the required kernel entries to the /etc/sysctl.conf
file.
Step 1 – First we will use sed
to remove any previous entries of kernel.random.read_wakeup_threshold
kernel.random.write_wakeup_threshold
in the /etc/sysctl.conf file.
1 2 |
sed -i-$(date '+%Y.%m.%d.%H%M%S') -e '/kernel.random.read_wakeup_threshold/d' -e '/kernel.random.write_wakeup_threshold/d' /etc/sysctl.conf |
Step 2 – Next backup the /etc/sysctl.conf
file.
1 2 |
cp /etc/sysctl.conf /etc/sysctl.conf-$(date '+%Y.%m.%d.%H%M%S') |
Step 3 – Next append the entries kernel.random.read_wakeup_threshold = 2048
kernel.random.write_wakeup_threshold = 3072
to the /etc/sysctl.conf file.
1 2 |
echo "# Add support for intel rdrand to provide hardware entropy." >> /etc/sysctl.conf |
1 2 |
echo "kernel.random.read_wakeup_threshold = 2048" >> /etc/sysctl.conf |
1 2 |
echo "kernel.random.write_wakeup_threshold = 3072" >> /etc/sysctl.conf |
Step 4 – Next we will use sysctl
to load the new kernel parameters.
1 2 |
sysctl -p |
Install and Configure rngd Service
Step 1 – First install rng-tools
using yum
.
1 2 |
yum install rng-tools -y |
Step 2 – Next we will add the additional parameters to the /etc/sysconfig/rngd
file to enable support for rdrand.
1 2 |
echo "# Add extra options here" > /etc/sysconfig/rngd |
1 2 |
echo "EXTRAOPTIONS=\"--rng-device=drng --no-tpm=1\"" >> /etc/sysconfig/rngd |
Step 3 – Next we will start the rngd
service.
1 2 |
service rngd start |
Step 4 – Next we will configure the rngd
service to start at boot.
1 2 |
chkconfig rngd on |
Verify New Entropy Level
1 2 |
cat /proc/sys/kernel/random/entropy_avail |
The result should be 4096