When working to create a GPG key to sign some RPM packages I was building I ran into a message I had never seen before. I was building the RPM packages on an older server with not a lot of power which I am assuming contributed to my issue. The error is noted below but basically means you need to generate a lot of random bytes which are used to create a unique key. Within the error it states that the computer needs to collect more entropy so below I explain the error in more detail, what entropy means, why more entropy is needed, and how to generate as much as possible in a short amount of time to finish generating the GPG key.
Message Displayed During GPG Key Generation:
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 283 more bytes)
What Is Entropy & Why Does GPG Key Generation Need It:
Dictionary Entry For Entropy: Entropy is a state of disorder, confusion, and disorganization.
So in the case of GPG key generation Entropy means actions performed on the computer to generate a random GPG key. These actions could be moving the mouse, typing on the keyboard, clicking the mouse, or other things performed on the computer. I found it easiest to create the most entropy by configuring and/or compiling applications. You need a certain number of actions to occur during the key generation so the key is guaranteed to be completely random thus making it more secure. The amount of random actions needed will depend on the length of the key. The default key type (“DSA and Elgamal” or ELG-E) can be between 1024 bits and 4096 bits long. So if you configure your keysize to be 1024 bits long the amount of entropy required will be less than if the keysize is configured for say 2048 bits long.
Generate Entropy Quickly For GPG Key Generation:
I suggest compiling an application to generate as much entropy as possible in a short amount of time. If you don’t already have some package sources on the computer you need to generate entropy on then download the curl source here. Unpack the curl package by typing “tar -zxvf curl-7.20.0.tar.gz” from the directory where the file was downloaded. Then change directory into the curl source directory that was just created by typing “cd curl-7.20.0”. Then issue the configure command to begin the curl configuration by typing “./configure” from within the curl-7.20.0 directory. This will more than likely be enough entropy for the server to finish generating the GPG key however if it is not you can next type “make” to begin compiling the application. While either or both of those commands are in process move your mouse around the screen to increase the amount of entropy being generated. Also don’t worry both of those commands are simply compiling curl and not installing it.
Monitor Amount Of Entropy Being Generated On CentOS During GPG Key Generation:
- watch cat /proc/sys/kernel/random/entropy_avail
Eample View Of Available Entropy After Issuing Watch Command On CentOS:
- Every 2.0s: cat /proc/sys/kernel/random/entropy_avail Wed Mar 3 21:56:42 2010
- 3593
If you issue the above command during the GPG key generation and after receiving the “collect more entropy” message this number will likely be 0. As you begin to compile the curl application you will see this number start to rise and fall as more entropy is used by the GPG key generation.
After some amount of time the GPG key generation will complete. Again the amount of time will vary based on the keysize chosen during the configuration of the GPG key. Below is the output of the entire GPG key generation process including the command issued to start the process.
Generate A GPG Key On CentOS Linux Using gpg –gen-key:
- [root@dev gpg]# gpg --gen-key
- gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
- This program comes with ABSOLUTELY NO WARRANTY.
- This is free software, and you are welcome to redistribute it
- under certain conditions. See the file COPYING for details.
- Please select what kind of key you want:
- (1) DSA and Elgamal (default)
- (2) DSA (sign only)
- (5) RSA (sign only)
- Your selection? 1
- DSA keypair will have 1024 bits.
- ELG-E keys may be between 1024 and 4096 bits long.
- What keysize do you want? (2048) 1024
- Requested keysize is 1024 bits
- Please specify how long the key should be valid.
- 0 = key does not expire
- <n> = key expires in n days
- <n>w = key expires in n weeks
- <n>m = key expires in n months
- <n>y = key expires in n years
- Key is valid for? (0) 0
- Key does not expire at all
- Is this correct? (y/N) y
- You need a user ID to identify your key; the software constructs the user ID
- from the Real Name, Comment and Email Address in this form:
- "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
- Real name: Alex Kah
- Email address: alex@question-defense.com
- Comment: Question Defense
- You selected this USER-ID:
- "Alex Kah (Question Defense) <alex@question-defense.com>"
- Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
- You need a Passphrase to protect your secret key.
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- ++++++++++++++++++++.+++++++++++++++.+++++++++++++++.++++++++++++++++++++++++++++++++++++++++..+++++++++++++++.++++++++++++++++++++++++++++++.......+++++
- Not enough random bytes available. Please do some other work to give
- the OS a chance to collect more entropy! (Need 283 more bytes)
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- ++++++++++++++++++++.++++++++++.+++++..++++++++++++++++++++.+++++++++++++++.+++++.+++++.++++++++++...++++++++++++++++++++++++++++++++++++++++.......>+++++..+++++^^^
- gpg: /root/.gnupg/trustdb.gpg: trustdb created
- gpg: key AB339000 marked as ultimately trusted
- public and secret key created and signed.
- gpg: checking the trustdb
- gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
- gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
- pub 1024D/FE249006 2010-03-04
- Key fingerprint = 8888 EEEE 1111 BBBB F903 4444 1111 EEEE FFFF 9006
- uid Alex Kah (Question Defense) <alex@question-defense.com>
- sub 1024g/8888FFFF 2010-03-04
- [root@dev gpg]#
So the entropy needed for GPG key generation is really just random actions needed to guarantee that a random key is generated.