How to quickly generate (insecure) GPG keys

gpgrandomtesting

I'd like to automate generating at least two GPG keys for testing and demonstration purposes in a virtual machine. Because of this context I want to make sure the key generation is fast, ideally not using or modifying /dev/*random at all. For example, using the system clock as the only random source would be fine:

$ gpg --quick-gen-key 'alice' [options] --random-data $(date +%s)
$ sleep 2
$ gpg --quick-gen-key 'bob' [options] --random-data $(date +%s)

I haven't been able to find any options like this. There's -quick-random and --debug-quick-random which are not in the man page, seem to be supported by gpg, and just don't work. These commands, for example, ran for several minutes before I killed them:

$ gpg --batch --debug-quick-random --passphrase 'alice' --quick-gen-key 'alice@example.org'
$ gpg --batch -quick-random --passphrase 'alice' --quick-gen-key 'alice@example.org'

Using gpg (GnuPG) 2.1.2.

Best Answer

You can temporarily have /dev/random pull from /dev/urandom using rng-tools:

# rngd -v -f -r /dev/urandom

More information here: https://madebits.github.io/#blog/2014/2014-05-30-Making-dev-random-Temporary-Faster.md

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

GnuPG consumes several bytes from /dev/random for each random byte it actually uses. You can easily check that with this command:

start cmd:> strace -e trace=open,read gpg --armor --gen-random 2 16 2>&1 | tail
open("/etc/gcrypt/rngseed", O_RDONLY)   = -1 ENOENT (No such file or directory)
open("/dev/urandom", O_RDONLY)          = 3
read(3, "\\\224F\33p\314j\235\7\200F9\306V\3108", 16) = 16
open("/dev/random", O_RDONLY)           = 4
read(4, "/\311\342\377...265\213I"..., 300) = 128
read(4, "\325\3\2161+1...302@\202"..., 172) = 128
read(4, "\5[\372l\16?\...6iY\363z"..., 44) = 44
open("/home/hl/.gnupg/random_seed", O_WRONLY|O_CREAT, 0600) = 5
cCVg2XuvdjzYiV0RE1uzGQ==
+++ exited with 0 +++

In order to output 16 bytes of high-quality entropy GnuPG reads 300 bytes from /dev/random.

This is explained here: Random-Number Subsystem Architecture

Linux stores a maximum of 4096 bytes (see cat /proc/sys/kernel/random/poolsize) of entropy. If a process needs more than available (see cat /proc/sys/kernel/random/entropy_avail) then the CPU usage becomes more or less irrelevant as the feeding speed of the kernel's entropy pool becomes the relevant factor.

Linux – Adding Random Number Entropy for GPG Keys

There is a grain of truth to this, in fact more truth than myth, but nonetheless the statement reflects a fundamental misunderstanding of what's going on. Yes, moving the mouse while generating a key with GPG can be a good idea. Yes, moving the mouse contributes some entropy that makes random numbers random. No, moving the mouse does not make the key more secure.

All good random generators suitable for cryptography, and Linux's is in that category, have two components:

An entropy source, which is non-deterministic. The purpose of the entropy is to bootstrap the random number generator with unpredictable data. The entropy source must be non-deterministic: otherwise, an adversary could reproduce the same computation.
A pseudorandom number generator, which produces unpredictable random numbers in a deterministic fashion from a changing internal state.

Entropy has to come from a source that is external to the computer. The user is one source of entropy. What the user does is mostly not random, but the fine timing of keystrokes and mouse movements is so unpredictable as to be slightly random — not very random, but little by little, it accumulates. Other potential sources of entropy include the timing of network packets and camera or microphone white noise. Different kernel versions and configurations may use a different set of sources. Some computers have dedicated hardware RNG circuits based on radioactive decay or, less impressively, unstable electronic circuits. These dedicated sources are especially useful in embedded devices and servers which can have pretty predictable behavior on their first boot, without a user to do weird things.

Linux provides random numbers to programs via two devices: /dev/random and /dev/urandom. Reading from either device returns cryptographic-quality. Both devices use the same internal RNG state and the same algorithm to transform the state and produce random bytes. They have peculiar limitations which makes neither of them the right thing:

/dev/urandom can return predictable data if the system has not yet accumulated sufficient entropy.
/dev/random calculates the amount of available entropy and blocks if there isn't enough. This sounds good, except that the calculation is based on theoretical considerations that make the amount of available entropy decrease linearly with each output bit. Thus /dev/random tends to block very quickly.

Linux systems save the internal RNG state to disk and restore it at boot time. Therefore entropy carries over from one boot to the next. The only time when a Linux system may lack entropy is when it's freshly installed. Once there is sufficient entropy in the system, entropy does not decrease; only Linux's flawed calculation decreases. For more explanations of this consideration, read /dev/urandom is suitable to generate a cryptographic key, by a professional cryptographer. See aso Can you explain the entropy estimate used in random.c.

Moving the mouse adds more entropy to the system. But gpg can only read from /dev/random, not /dev/urandom (a way to solve this problem is to make /dev/random the same 1:9 device as /dev/urandom), so it is never at risk of receiving not-random-enough random numbers. If you don't move the mouse, the key is as random as can be; but what can happen is that gpg may get blocked in a read from /dev/random, waiting for the kernel's entropy counter to rise.

Best Answer

Related Solutions

RSA 2048 keypair generation: via openssl 0.5s via gpg 30s, why the difference

Linux – Adding Random Number Entropy for GPG Keys

Related Question