The Raspberry Pi's BCM2835 system-on-a-chip has a hardware random number generator. Since the Pi doesn't have a lot of the usual sources of randomness it is well worth turning on.
/etc/modules and add the line:
This will create the device
/dev/hwrng at the next boot. If you can't wait until then say modprobe bcm2708_rng. When the random number generator module is installed dmesg will report:
To drop this source of random data into the kernel's pool of randomness use the rngd daemon: sudo apt-get install rng-tools.
/etc/default/rng-tools to say:
The default parameters for rngd are a good fit for a inadequately described hardware random generator so there is no need to bother with setting any
Restart rngd with /etc/init.d/rng-tools restart.
When rngd starts it syslogs:
rngd 2-unofficial-mt.14 starting up... entropy feed to the kernel ready
When rngd is stopped it prints the values of statistics it maintains to validate the randomness of data read from /dev/hwrng. For example:
stats: bits received from HRNG source: 140064 stats: bits sent to kernel pool: 98944 stats: entropy added to kernel pool: 98944 stats: FIPS 140-2 successes: 7 stats: FIPS 140-2 failures: 0 stats: FIPS 140-2(2001-10-10) Monobit: 0 stats: FIPS 140-2(2001-10-10) Poker: 0 stats: FIPS 140-2(2001-10-10) Runs: 0 stats: FIPS 140-2(2001-10-10) Long run: 0 stats: FIPS 140-2(2001-10-10) Continuous run: 0 stats: HRNG source speed: (min=596.574; avg=709.100; max=743.255)Kibits/s stats: FIPS tests speed: (min=5.947; avg=6.126; max=6.191)Mibits/s stats: Lowest ready-buffers level: 2 stats: Entropy starvations: 0 stats: Time spent starving for entropy: (min=0; avg=0.000; max=0)us Exiting...
If you underrun the "lowest ready-buffers level" then alter
RNGDOPTIONS in /etc/default/rng-tools to decrease the
--feed-interval from 60 seconds to 10s or even down to 1s; also increase the
--rng-buffers from 3 to 5.
If programs read from /dev/random and block and this blocking is harming performance then make the hardware random number generator carry more of the load of filling the entropy pool. When
--fill-watermark is not provided the contribution of the hardware random number generation to the entropy pool to 50%, increase that to 90% with
--fill-watermark=90% (the "
%" is required,
90 has a different meaning entirely). Note that this places more trust in the correct operation and non-subversion of the hardware random number generator.