As you might know that it's not as easy to generate entropy on a virtual machine as on a "normal" pc.
Generating a gpg-key on a virtual machine can take a while, even with the correct tools.
There are plenty more crypto functions out there which aren't so entropy aware as gpg is.
So can one say that cryptography is less secure on a virtual machine?
Best Answer
First of all, let me say I'm not at all a security expert.
As gpg key creation is using
/dev/random
as random number generator, it is as secure on a virtual machine, as on a real machine./dev/random
is a blocking device, and will stop delivering any randomness beyond the available amount. You can check your available randomness bycat /proc/sys/kernel/random/entropy_avail
(should be around 2000)On a virtualmachine the available randomness is indeed lower than on a real machine, due to the lacking access to hardware.
You could increase the entropy by e.g. applying entropy keys and/or switch to a nonvirtualized machine.
There is a nice article available on entropy on virtual machines. Unfortunatly both parts of the article are only available in google cache right now.
Entropy has further effects on any ssl/tls encryption. So, using
/dev/urandom
or any not-truly random source has indeed an impact on the security of your applications.In terms of how reliable
/dev/urandom
compared to true randomness is;i'm not able to give you a decent answer there, sorry.
For further information about this topic you could go to http://security.stackexchange.com and/or read eg. this post