I have been trying to generate a private on a relatively fresh manjaro install. The process gets stuck at the infamous “Generate enough entropy” message.
Whatever I try, the prime key generation hangs for ever; I let it run for a few hours once just to make sure.
There are a lot of posts and tutorials about this. Many suggesting havegd
, rng-tools
or using commands like find
or cat /dev/urandom
(which by the way forced me to do a hard reboot; I do not recommend).
I did not try havegd
because the ArchWiki page recommends (havegd page) using rng-tools
. I tried the ArchWiki (rng-tools page) testing commands for rngd
:
rngtest -c 1000 </dev/random
ends up with two failures which is fine according to the wiki pagedd if=/dev/random of=/dev/null bs=1024 count=1 iflag=fullblock
outputs exactly what the wiki page suggests for a successful testsudo rngd -f
on the other hand fails to initializepkcs11
:
Initializing available sources
[hwrng ]: Initialized
[rdrand]: Enabling RDSEED rng support
[rdrand]: Initialized
[jitter]: JITTER timeout set to 5 sec
[jitter]: Initializing AES buffer
[jitter]: Unable to obtain AES key, disabling JITTER source
[jitter]: Initialization Failed
[pkcs11]: PKCS11 Engine /usr/lib64/opensc-pkcs11.so Error: No such file or directory
[pkcs11]: Initialization Failed
[rtlsdr]: Initialization Failed
I checked with pacman
, all related pkcs
packages seem to be installed:
core/libp11-kit 0.25.0-1 [installed]
Loads and enumerates PKCS#11 modules (library)
core/p11-kit 0.25.0-1 [installed]
Loads and enumerates PKCS#11 modules
core/p11-kit-docs 0.25.0-1
Loads and enumerates PKCS#11 modules (documentation)
extra/gnupg-pkcs11-scd 0.10.0-2 [installed]
Smart-card daemon to enable the use of PKCS#11 tokens with GnuPG
extra/haskell-rsa 2.4.1-207
Implementation of RSA, using the padding schemes of PKCS#1 v2.1.
extra/libp11 0.4.12-2 [installed]
A library implementing a small layer on top of the PKCS11 API
extra/pkcs11-helper 1.29.0-2 [installed]
A library that simplifies the interaction with PKCS11 providers for end-user
applications using a simple API and optional OpenSSL engine
extra/python-python-pkcs11 0.7.0-6
PKCS#11/Cryptoki support for Python
extra/softhsm 2.6.1-4
Software PKCS#11 store
extra/tpm2-pkcs11 1.9.0-1
PKCS#11 interface for Trusted Platform Module 2.0 hardware
multilib/lib32-p11-kit 0.25.0-1
Loads and enumerates PKCS#11 modules (32-bit library)
I tried running a gpg key generation while:
- running
rngd -f
in another terminal, - starting the rngd systemd service,
- running commands like
cat /dev/urandom
,
Out of despair, I tried installing havegd
, but the systemd service fails to start with the following error:
Entropy Daemon based on the HAVEGE algorithm was skipped because of an unmet condition check (ConditionKernelVersion=<5.6)
My kernel version is indeed 6.1.44-1-MANJARO (64-bit)
.
Finally, what comes up in every post I read is to run cat /proc/sys/kernel/random/entropy_avail
to see how much entropy is available on your system. Since the start of my many attempts to raise tht number, the output is invariably (and dishearteningly) 256
.
Based on what I understood from the wikis and posts, it is not only about successfully generating a key but generating qualitative entropy so the generated keys are secure.
So I am not looking for a shortcut, but a “good” solution as the archWiki states for example that running rngd -o /dev/random -r /dev/urandom
is pointless, and I came across this advice a lot. I tried it anyway, and guess what ? Still 256
, and gpg (or gpg2 btw) still hanging for ever.
Thanks in advance for any advice, I most definitely need some help at this point.
PS: Sorry for the esthetics, I cannot include links.