Re: generating gpg keys
Why is this on debian-policy? It has nothing to do with policy.
Hamish Moffatt <hamish@debian.org> writes:
> On generating gpg keys, how can one go about getting enough entropy
> on one's own machine?
Here's a reply to that question from Werner on the g10 list only
today.
| It is really not easy to fill the Linux internal entropy buffer; I
| talked to Ted Ts'o and he commented that the best way to fill the
| buffer is to play with your keyboard.
|
| What I do is to hit several times on the shift,control, alternate,
| capslock keys, as these keys do not produce any output. This way you
| get your keys really fast (it's the same thing pgp2 does).
|
| A problem might be another program which eats up your random bytes
| (a program (look at your daemons) that reads from /dev/[u]random).
|
| I have the same problem when I try to do this via telnet - not for
| real work but to test the program - it takes *very* long. You should
| NEVER do this via telnet (even not with ssh) as your passphrase walks
| over a telco (or Ethernet) line and is easy to spy out. Also you have
| no physical control over your secret keyring (which is in most cases
| vulnerable to advanced dictionary attacks) - I strongly encourage
| everyone to only create keys on a local computer (a disconnected
| laptop is probably the best choice) and if you need it on your
| connected box (of course, we all do this) be sure to have a strong
| password for your account and trust your root.
> Solaris undergrad server at university, gpg is unable to lock memory
> hence the key will be insecure;
It's not the fact that it can't lock memory it's the fact that Solaris
has no cryptographically secure random number generator and no one's
written one for gnupg yet. The warning about not being able to lock
memory is just that, a warning.
--
James
~Yawn And Walk North~ http://yawn.nocrew.org/
--
To UNSUBSCRIBE, email to debian-policy-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: