Entropy on virtual machines

cryptographyentropy-poolvirtual-machines

As you might know that it's not as easy to generate entropy on a virtual machine as on a "normal" pc.
Generating a gpg-key on a virtual machine can take a while, even with the correct tools.

There are plenty more crypto functions out there which aren't so entropy aware as gpg is.

So can one say that cryptography is less secure on a virtual machine?

Best Answer

First of all, let me say I'm not at all a security expert.

As gpg key creation is using /dev/random as random number generator, it is as secure on a virtual machine, as on a real machine.
/dev/random is a blocking device, and will stop delivering any randomness beyond the available amount. You can check your available randomness by
cat /proc/sys/kernel/random/entropy_avail (should be around 2000)

On a virtualmachine the available randomness is indeed lower than on a real machine, due to the lacking access to hardware.
You could increase the entropy by e.g. applying entropy keys and/or switch to a nonvirtualized machine.

There is a nice article available on entropy on virtual machines. Unfortunatly both parts of the article are only available in google cache right now.

Entropy has further effects on any ssl/tls encryption. So, using /dev/urandom or any not-truly random source has indeed an impact on the security of your applications.

In terms of how reliable /dev/urandom compared to true randomness is;
i'm not able to give you a decent answer there, sorry.

For further information about this topic you could go to http://security.stackexchange.com and/or read eg. this post

Best Answer

Related Solutions

Can a Virtual HDD be shrink down

Linux – Feeding the kernels entropy source from other machines and/or increasing its maximum size

Related Topic