Hello everyone,
rng-tools is installed by default in the raspberry Pi image and is started on boot by systemd. Unfortunately, rngd has a non-optimal default configuration:
In /etc/conf.d/rngd:
$this->bbcode_second_pass_code('', 'RNGD_OPTS="-o /dev/random -r /dev/urandom"')
That means, rngd takes entropy from /dev/urandom and feeds it into /dev/random, which you should only do if you really know what you are doing. The problem with this default configuration has already been reported for the ArchLinux package: https://bugs.archlinux.org/task/34580
The argument in that bug report was that rngd is not installed by default (which however is the case on the Pi distribution) and most devices don’t have a hardware rng (which the Pi actually has). This default configuration could have potential security implications, i.e. if you use a DSA-based crypto algorithm. So the arguments in that original bug report aren’t true for the Pi.
Therefore I suggest the following change to /etc/conf.d/rngd:
$this->bbcode_second_pass_code('', 'RNGD_OPTS="-o /dev/random -r /dev/hwrng"')
which will use the hardware rng of the Pi.
Alternatively or additionally, it would be an option to disable rngd in the default configuration.