Most encryption schemes rely on random numbers to function properly. Interestingly the Raspberry Pi comes equipped with a Random Number Generator in hardware. The 2835 chip on the motherboard contains a hardware entropy source. Recent versions of the firmware include a hardware random number generator module so you can access this entropy source.
Enable RNG module
To enable the hardware RNG module you need to make sure your system is up to date.
$ sudo apt-get update $ sudo apt-get -y dist-upgrade $ sudo rpi-update $ sudo reboot
Once the reboot is complete, install the module:
$ sudo modprobe bcm2708-rng
To load the module by default, add the following to
$ sudo nano /etc/modules bcm2708-rng
The random numbers now are available at
/dev/hwrng. This is all fine and dandy, but
/dev/hwrng can only be accessed by the root user. We need some means to allow userspace access to the RNG.
rng-tools to the rescue!
rng-tools contains a daemon that acts as a bridge between a hardware TRNG (true random number generator) and the kernel’s PRNG (pseudo-random number generator). In short, it feeds the random data from the hardware RNG to the kernel entropy pool at
Let’s install the
$ sudo apt-get install rng-tools
At the end of the install process you will see the following line which indicates the daemon has successfully started:
Starting Hardware RNG entropy gatherer daemon: rngd.
We now need to point
rngd to collect random data from
/ext/default/rng-tools to make sure that
HRNGDEVICE points to
$ sudo nano /ext/default/rng-tools HRNGDEVICE=/dev/hwrng
Now restart the
$ sudo service rng-tools restart
Testing the setup
The main benefit of using the hardware RNG is that is supplies a steady stream of entropy, without having to rely on other input, such as mouse movement or keyboard strokes. We can easily test the bandwidth of available entropy with:
$ sudo dd if=/dev/random of=random bs=128 count=1024 0+1024 records in 0+1024 records out 81592 bytes (82 kB) copied, 2.42348 s, 33.7 kB/s
As you can see we get more than 33kB of entropy per second through
/dev/random. If we now stop
rngd, the entropy bandwidth screeches to a halt, as
/dev/random is no longer supplied by the hardware RNG. I stopped
dd after about a minute, and it was far from finished.
$ sudo service rng-tools stop Stopping Hardware RNG entropy gatherer daemon: rngd. $ sudo dd if=/dev/random of=random bs=128 count=1024 ^C0+5 records in 0+5 records out 177 bytes (177 B) copied, 63.6551 s, 0.0 kB/s
As expected, the amount of available entropy dropped dramatically, but after starting the
rngd quickly increased to a normal level.
$ cat /proc/sys/kernel/random/entropy_avail 23 $ sudo service rng-tools start Starting Hardware RNG entropy gatherer daemon: rngd. $ cat /proc/sys/kernel/random/entropy_avail 2138