Entropy Value is stuck at 256


i am trying to set up Passbolt on Ubuntu 22.04 LTS
During the step of checking the entropy I noticed that it is stuck at 256.
I tried to install rng-tools and haveged to increase it but it is still at the value of 256.
I am running Ubuntu 22.04.1 LTS / 5.15.0-48-generic on a VM.
I have read that in a recent update the entropy value was capped at 256 but I can’t figure out if this in any way would hinder Passbolt from working properly.

I would be glad if anyone could help me out

Hi @DM_123,

Are you using Ubuntu Desktop or Ubuntu Server ?

It’s not a bug or an issue, this has been picked up by thousands of unix users. Everyone running kernel v-5.15.0-47 and up would have the entropy hardcoded at 256.

I am not too sure how passbolt would react to low entropy as i always aim for 3000+ preferably 4096

There was a large commit done for 5.15.X, you can find it here kernel/git/stable/linux.git - Linux kernel stable tree

If you would like to change the hard coded value, it is located drivers/char/random.c

Jump to line 551 and you will see it is set to 8, which would be 256.
8*32 = 256

enum {
	POOL_READY_BITS = POOL_BITS, /* When crng_init->CRNG_READY */

if you would like to have lets say 4096, you would need to change the hardcoded value from 8 to 128.
128*32 = 4096



Entropy matters a lot, here is another reference particular to passbolt. Passbolt Help | Why should I install haveged on virtual environments?


I am using Ubuntu Server.
Thanks for your detailed clarification.

Related kernel commit explanation for reference: [PATCH 5.15 038/145] random: use computational hash for entropy extraction - Greg Kroah-Hartman

@remy maybe use of haveged needs to be revisited in docs.

As I am reading through the patch comments, it appears that the structuring of the random number generation has changed and running out of entropy (or a security concern of an attacker zeroing it out) is no longer a risk?

Thanks guys for the information, very good to know, and yes, the entropy help page should be updated.

Could you perhaps try debian 11 as i have actively installed and used it without any entropy issues.

That is exactly what i was thinking. I am not sure why this move was initiated and why it was thought to be a “good idea”.

The commit needs to be revisited and fixed.

Maybe I’m reading it wrong, but it seems better to me if the rng process is started with a controllable encryption algorithm rather than vulnerable noise sourcing which can be compromised, leading to no randomness. In this way entropy is always secure and cannot be exhausted.

1 Like