Vultr DocsLatest Docs

Add Entropy with Haveged to Improve Cloud Server Randomness

Server SecurityUbuntu 22.04Haveged
AN
Updated on February 1, 2023
Add Entropy with Haveged to Improve Cloud Server Randomness header image

Introduction

Havaged is an open-source, easy-to-install software for adding entropy and improving a cloud server's randomness. The unpredictable random number generator exploits a computer's volatile internal hardware states for randomness. It does not rely on the standard harvesting techniques that other systems use for entropy. Instead, it uses HAVEGE (Hardware Volatile Entropy Gathering and Expansion).

For cloud-based servers, most of the entropy generation comes from disk and network activities. Since the servers do not have dedicated hardware, such as physical keyboards, or video cards that generate more random data, they have a limited amount of entropy within a specific time. Consequently, this slows down the server startup, and other operations that require cryptography, since they have to wait as the system collect the additional entropy.

On the other hand, haveged generates randomness using the variations in the code execution time on a processor. It also uses other hardware events such as caches, memory translation tables, and so on. Relying more on internal, unmonitored states makes haveged suitable for systems, such as cloud servers which have less user interaction.

This guide shows you how to install haveged on Ubuntu 22.04, CentOS 9, and Red Hat Enterprise Linux (RHEL). The commands are almost the same for other versions of the Linux distributions covered in the article.

How to Install haveged on Ubuntu 22.04

This section applies to Debian and Ubuntu

Prerequisites

  • A cloud server running Ubuntu 22.04 LTS
  • sudo user
  • Access to the command line or terminal window

Step 1: Log in to the Ubuntu 22.04 LTS server

Connect to your server with SSH as a sudo user.

Syntax ssh username@server-ip-address

Step 2: Update and upgrade the server

Use the command below to upgrade the installed packages to ensure that your server is running the latest software and security patches.

$ sudo apt update && sudo apt upgrade -y

Step 3: Install haveged on Ubuntu 22.04 cloud server

Run the following command to install haveged.

$ sudo apt install haveged

Type y to continue when prompted. If you want the installation to continue automatically without prompting you, add the y flag to the command. In this case, you run,

$ sudo apt -y install haveged

Please note that you can also use apt-get or aptitude instead of apt to install haveged.

The syntax for using these commands is the same. For example, to use apt-get run the following command.

    $ sudo apt-get install haveged

Step 4: Start the haveged service

$ sudo systemctl start haveged

Step 5: Check the status of haveged

The following command shows you the status of haveged.

$ sudo systemctl status haveged.service

Sample output

    haveged.service - Entropy Daemon based on the HAVEGE algorithm
           Loaded: loaded (/lib/systemd/system/haveged.service; enabled; vendor preset: enabled)
           Active: active (running) since Fri 2023-01-13 10:23:38 UTC; 1min 21s ago
             Docs: man:haveged(8)
                     http://www.issihosts.com/haveged/
         Main PID: 1411 (haveged)
            Tasks: 1 (limit: 1129)
           Memory: 3.2M
              CPU: 187ms
           CGroup: /system.slice/haveged.service
               └─1411 /usr/sbin/haveged --Foreground --verbose=1 1024

The output shows that haveged is active (running). It includes other details such as the date and time it started running.

Step 6: Test the quality of the randomness

After installing haveged, you can test the randomness using the rng-tools utility. To install the test tool, run the following command.

$ sudo apt install rng-tools

You can now test the randomness using the following command.

 $ sudo cat /dev/random | rngtest -c 1000

Sample output

    rngtest 2.2
    Copyright (c) 2004 by Henrique de Moraes Holschuh
    This is free software; see the source for copying conditions. There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

    rngtest: starting FIPS tests...
    rngtest: bits received from input: 20000032
    rngtest: FIPS 140-2 successes: 999
    rngtest: FIPS 140-2 failures: 1
    rngtest: FIPS 140-2(2001-10-10) Monobit: 0
    rngtest: FIPS 140-2(2001-10-10) Poker: 1
    rngtest: FIPS 140-2(2001-10-10) Runs: 0
    rngtest: FIPS 140-2(2001-10-10) Long run: 0
    rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
    rngtest: input channel speed: (min=62.742; avg=2313.901; max=19073.486)Mibits/s
    rngtest: FIPS tests speed: (min=107.154; avg=156.436; max=161.640)Mibits/s
    rngtest: Program run time: 134652 microseconds

The number of successes with haveged installed should be around 1000. However, there could be a few failures and you may not achieve 1000 successes every time you run the test. However, a figure of 998-1000 successes is acceptable and shows that haveged is working properly. Without haveged, the number of successes is much lower than 1000.

Step 7: Configure haveged to load on startup

To enable haveged to automatically start when the server boots, run the following command.

$ sudo update-rc.d haveged defaults

How to install haveged on CentOS and RHEL

This section applies to CentOS and RHEL

Prerequisites

  • A cloud server running CentOS 9
  • sudo user
  • Access to the command line or terminal window

Step 1: Log in to the server

Use ssh to connect to CentOS 9 as a sudo user.

Syntax ssh username@server-ip-address

The command for installing haveged on CentOS is the same for RHEL. However, before installation, you must enable the Extra Packages for Enterprise Linux (EPEL) repository as shown below..

Step 2: Enable EPEL

$ sudo yum -y install epel-release

Refresh the repository by running

$ sudo yum repolist

The server is now ready for haveged installation.

Step 3: Install haveged

To install haveged on CentOS 9, run

$ sudo yum install haveged

Type 'y' to proceed when prompted.

Step 4: Start haveged

$ sudo systemctl enable haveged.service

Step 5: Check haveged status

$ sudo systemctl status haveged.service

Sample output

    ● haveged.service - Entropy Daemon based on the HAVEGE algorithm
         Loaded: loaded (/usr/lib/systemd/system/haveged.service; enabled; preset: disabled)
         Active: active (running) since Fri 2023-01-13 11:20:12 UTC; 15s ago
           Docs: man:haveged(8)
                    http://www.issihosts.com/haveged/
       Main PID: 89460 (haveged)
          Tasks: 1 (limit: 5924)
         Memory: 3.3M
            CPU: 187ms
         CGroup: /system.slice/haveged.service                
                 └─89460 /usr/sbin/haveged -w 1024 -v 1 --Foreground -v 64

    Jan 13 11:20:12 vultr.guest systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
    Jan 13 11:20:12 vultr.guest haveged[89460]: haveged: command socket is listening at fd 3
    Jan 13 11:20:12 vultr.guest haveged[89460]: haveged: fills: 1, generated: 512 K bytes, RNDADDENTROPY: 256

Step 6: Test haveged on CentOS

To test haveged on CentOS or RHEL, begin by installing the rng-tools.

$ sudo yum install rng-tools.

Step 7: Test the quality of randomness

Test the quality of randomness on the CentOS server run,

$ sudo cat /dev/random | rngtest -c 1000

Step 8: Configure startup

To configure the system to automatically load haveged on boot, run

$ sudo chkconfig haveged on

Summary

The haveged software helps to add more entropy hence improving the randomness of the cryptography. It is suitable for cloud servers that use SSL, TLS, and other services that depend on encryption. Besides improving the randomness, haveged improves the speed of the server since the generation process is faster.