Error creating backup keys

Submitted by ChrisBlackwell on Fri, 07/13/2012 - 12:31

I'm trying to get virtualmin to generate a key for encrypting backups, however it just sits there for 60 secs and then bombs with the following error

Failed to create backup key : Key generation failed : failed: End of file You don't want a passphrase - this is probably a bad idea! I will do it anyway. You can change your passphrase at any time, using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.

After some digging around on the internet it seemed that this was a timeout caused by lack of entropy. I found that after installing rng-tools, setting some options for it and starting gngd, that gpg --gen-key was almost instant and this allowed Virtualmin to create keys correctly.

I found this info - https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011 and https://www.centos.org/modules/newbb/print.php?form=1&topic_id=36209&for...

Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Fri, 07/13/2012 - 12:34

Yes, someone else reported a similar issue ... if the key size is too large, gpg fails due to lack of entropy. This is particularly common on VMs.

Virtualmin tries to address this by running find / in the background during key generation to create lots of entropy from disk IO, but it doesn't always work.

Submitted by ChrisBlackwell on Fri, 07/13/2012 - 12:40

sorry if this is a dupe, feel free to close it. fwiw, I tried this on 4 different machines none of which are VPS, all dedicated servers. but even on the bigger 2 servers it still timed out and they are i5-2400 3.1Ghz

As i'm going to use the same key across all my servers i only needed to do this once.

Submitted by JamieCameron on Fri, 07/13/2012 - 20:42

I had a look at that thread at https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/706011 , and it seems that the real issue is that server machines simply don't generate enough entropy as there is no interactive user at the console :-(

The work-around of using rng-tools is kind of a hack, as it doesn't generate true entropy needed for a really random key. Probably the best real solution is to generate the GPG key on a desktop machine, and then import it to Virtualmin on your server.

Submitted by ChrisBlackwell on Sat, 07/14/2012 - 13:05

thanks Jamie,

I have to admit i didn't read much below the fold of that thread, but i did just read it all the way through and there's some fairly angry people who should probably get out more :)

In the thread its mentioned about filesystem indexes fitting into ram causing things like "find /" to not generate sufficient entropy. In my case all the servers I tried this on had either 16GB or 24GB of RAM, likely plenty to cache the indexes.

in some very unscientific tests running "find /" while watching /proc/sys/kernel/entropy_avail shows that it makes no appreciable difference.

Some comments in the thread identify HAVEGED as an acceptable source of entropy, which seems to keep entropy_avail at a sufficiently high level to generate keys in a timely fashion

I've left this ticket open, but it seems unrealistic for you to fix the key generation. However i feel it might be helpful to add some notes about this to the key generation UI or at least the help, and catch any timeout errors and give a meaning full error.

Maybe telling users if entropy_avail is low and suggesting a solution might be possible?

cheers, Chris

Submitted by JamieCameron on Sat, 07/14/2012 - 13:11

Yeah, that thread was pretty amusing :-)

What I'll do is add a more useful error if key generation fails due to lack of entropy ..