Getting More Entropy in Java on Linux
Table of Contents
Setting entropy pool for Java server on linux is fair simple. Just add a system property to specify a device to read from.
Blocking, but more Secure #
-Djava.security.egd=file:///dev/random
This is secure but may block your application until enough entropy is available.
When read, the /dev/random device will only return random bytes within the estimated number of bits of noise in the entropy pool. /dev/random should be suitable for uses that need very high quality randomness such as one-time pad or key generation. When the entropy pool is empty, reads from /dev/random will block until additional environmental noise is gathered.
Non-Blocking But Less Secure #
-Djava.security.egd=file:///dev/urandom
A read from the /dev/urandom device will not block waiting for more entropy. As a result, if there is not sufficient entropy in the entropy pool, the returned values are theoretically vulnerable to a cryptographic attack on the algorithms used by the driver. Knowledge of how to do this is not available in the current non-classified literature, but it is theoretically possible that such an attack may exist. If this is a concern in your application, use /dev/random instead.
If solution not working then take a look at workaround: http://bugs.java.com/view_bug.do?bug_id=6202721
How to get more entropy #
- Involve an audio entropy daemon like AED to gather noise from your datacenter with an open microphone, maybe combine it with a webcam noise collector like VED. Other sources are talking about “Cryptographic Randomness from Air Turbulence in Disk devices“.
- Use the Entropy Gathering Daemon to collect weaker entropy from randomness of userspace programs.
- Have a look at haveged (collecting good entropy on basis of CPU clock flutter)
- Consider installing a couple of parrots or canary next to your server.