The Raspberry Pi's BCM2835 system-on-a-chip has a hardware random number generator. Since the Pi doesn't have a lot of the usual sources of randomness it is well worth turning on.
/etc/modules and add the line:
This will create the device
/dev/hwrng at the next boot. If you can't wait until then say modprobe bcm2708_rng. When the random number generator module is installed dmesg will report:
To drop this source of random data into the kernel's pool of randomness use the rngd daemon: sudo apt-get install rng-tools.
/etc/default/rng-tools to say:
The default parameters for rngd are a good fit for a inadequately described hardware random generator so there is no need to bother with setting any
Restart rngd with /etc/init.d/rng-tools restart.
When rngd starts it syslogs:
rngd 2-unofficial-mt.14 starting up... entropy feed to the kernel ready
When rngd is stopped it prints the values of statistics it maintains to validate the randomness of data read from /dev/hwrng. For example:
stats: bits received from HRNG source: 140064 stats: bits sent to kernel pool: 98944 stats: entropy added to kernel pool: 98944 stats: FIPS 140-2 successes: 7 stats: FIPS 140-2 failures: 0 stats: FIPS 140-2(2001-10-10) Monobit: 0 stats: FIPS 140-2(2001-10-10) Poker: 0 stats: FIPS 140-2(2001-10-10) Runs: 0 stats: FIPS 140-2(2001-10-10) Long run: 0 stats: FIPS 140-2(2001-10-10) Continuous run: 0 stats: HRNG source speed: (min=596.574; avg=709.100; max=743.255)Kibits/s stats: FIPS tests speed: (min=5.947; avg=6.126; max=6.191)Mibits/s stats: Lowest ready-buffers level: 2 stats: Entropy starvations: 0 stats: Time spent starving for entropy: (min=0; avg=0.000; max=0)us Exiting...
If you underrun the "lowest ready-buffers level" then alter
RNGDOPTIONS in /etc/default/rng-tools to decrease the
--feed-interval from 60 seconds to 10s or even down to 1s; also increase the
--rng-buffers from 3 to 5.
If programs read from /dev/random and block and this blocking is harming performance then make the hardware random number generator carry more of the load of filling the entropy pool. When
--fill-watermark is not provided the contribution of the hardware random number generation to the entropy pool to 50%, increase that to 90% with
--fill-watermark=90% (the "
%" is required,
90 has a different meaning entirely). Note that this places more trust in the correct operation and non-subversion of the hardware random number generator.
Addendum 2015-12-03: Regenerating SSH host keys
One reason to use the random number generator is to generate secure SSH host keys. This is difficult to do without the hardware random number generate because of the low level of entropy available on the RPi soon after boot.
Remove the existing host keys:
$ sudo rm /etc/ssh/ssh_host_*
Then generate new keys, using the key algorithms recommended by your Debian distribution:
$ sudo dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... Restarting OpenBSD Secure Shell server: sshd. [ ok ]