netrng
Table of Contents
Setting up the Raspberry Pi as an entropy server
The Raspberry Pi has a hardware random number generator. Quick testing shows it can provide sufficient entropy to read from /dev/random
at around 35kB/s
.
- Build the the
bcm2708-rng
kernel driver (required on at leastraspbmc
):sudo su - apt-get install build-essential bc gcc make cd /tmp wget http://www.mirrorservice.org/sites/raspbmc.com/downloads/bin/kernel/linux-headers-latest.deb.gz mkdir x dpkg-deb -x linux-headers-latest.deb.gz x mv -v x/usr/src/linux-headers-$(uname -r)/Module.symvers /usr/src cd /usr/src gKernel=$(uname -r | sed 's/[0-9]*$/y/') wget --no-check-certificate https://github.com/raspberrypi/linux/archive/rpi-$gKernel.tar.gz tar xzf rpi-*.tar.gz mv linux-rpi-*y rpi-linux cd rpi-linux/ make mrproper zcat /proc/config.gz > .config sed -i 's/CONFIG_CROSS_COMPILE.*/CONFIG_CROSS_COMPILE=""/' .config apt-get install ncurses-dev make menuconfig # Enable HW_RANDOM and HW_RANDOM_BCM2708 cp /usr/src/Module.symvers . make modules SUBDIRS=drivers/char/hw_random/ modprobe hwrng_register insmod drivers/char/hw_random/rng-core.ko insmod drivers/char/hw_random/bcm2708-rng.ko mkdir -p /lib/modules/3.12.31/kernel/drivers/char/hw_random/ cp drivers/char/hw_random/bcm2708-rng.ko /lib/modules/3.12.31/kernel/drivers/char/hw_random/
- Install and start
rngd
to populate the local's system entropy pool from the hardware rng:sudo apt-get install rng-tools sudo bash -c 'echo "bcm2708-rng" >> /etc/modules' initctl start rngd
- Install
NetRNG
on both clients and the server:sudo apt-get install git python-virtualenv python-dev git clone https://github.com/infincia/NetRNG.git sudo mv NetRNG /opt cd /opt/NetRNG/ git fetch --tags origin git checkout -b v0.1 v0.1 virtualenv /opt/NetRNG/env source /opt/NetRNG/env/bin/activate pip install -r /opt/NetRNG/requirements.txt sudo cp netrng.conf.upstart /etc/init/netrng.conf sudo cp netrng.conf.sample /etc/netrng.conf
- Start the
NetRNG
server on the Raspberry Pi:sudo initctl start netrng
Setting up an entropy client
- Install and run the
NetRNG
client on each network machine:sudo vim /etc/netrng.conf # Set mode = client, and the server IP address sudo initctl start netrng
- Verify it's working:
# Whenever the pool drops to 128 it should very quickly be refilled watch -n 0.1 cat /proc/sys/kernel/random/entropy_avail # For extra fun, try this both with and without netrng running: cat /dev/random | pv -bart > /dev/null # For me this measures 13KB/s with netrng running # but only small numbers of B/s rapidly dropping towards zero with netrng stopped
Systemd unit file
For systems that use systemd instead of upstart, use the following service definition:
- /etc/systemd/system/netrng.service
[Unit] Description=NetRNG Entropy Client After=syslog.target [Service] Type=simple ExecStart=/opt/NetRNG/env/bin/python /opt/NetRNG/netrng.py User=root [Install] WantedBy=multi-user.target
Future Improvements?
- Currently the random data is provided over the network in cleartext which is not ideal. Stunnel or some kind of VPN would fix that, alternatively patching the netrng source code to use an encrypted socket connection.
- A puppet module to manage the installation and configuration of client/server parts
netrng.txt · Last modified: by ben