[youknow0]

Hello everyone,

rng-tools is installed by default in the raspberry Pi image and is started on boot by systemd. Unfortunately, rngd has a non-optimal default configuration:

In /etc/conf.d/rngd:
$this->bbcode_second_pass_code('', 'RNGD_OPTS="-o /dev/random -r /dev/urandom"')

That means, rngd takes entropy from /dev/urandom and feeds it into /dev/random, which you should only do if you really know what you are doing. The problem with this default configuration has already been reported for the ArchLinux package: https://bugs.archlinux.org/task/34580

The argument in that bug report was that rngd is not installed by default (which however is the case on the Pi distribution) and most devices don’t have a hardware rng (which the Pi actually has). This default configuration could have potential security implications, i.e. if you use a DSA-based crypto algorithm. So the arguments in that original bug report aren’t true for the Pi.

Therefore I suggest the following change to /etc/conf.d/rngd:
$this->bbcode_second_pass_code('', 'RNGD_OPTS="-o /dev/random -r /dev/hwrng"')
which will use the hardware rng of the Pi.

Alternatively or additionally, it would be an option to disable rngd in the default configuration.

[kmihelich]

No, it is not installed by default. Use the installation we provide on our site, that is the only supported installation.

[youknow0]

You’re right. I got confused. This thread can be closed.