X

Haveged daemon available for web hosting customers

Recently, our server admins installed and configured the haveged daemon for most of our hosting services – it available for all cloud web hosting accounts, on our semi-dedicated servers and for both the Virtuozzo virtual private servers and the OpenVZ virtual private servers. It’s a relatively small piece of software designed to do just one thing – fill up the server’s entropy pool. With a full entropy pool, applications that use random data will work much faster. What this means for your websites and web applications is that if you have any piece of software that uses random data (an installed SSL certificate, encrypted databases, a random dice roll app,etc.), it will work much, much faster.

What is an entropy pool?

The entropy pool is the place where all random data is gathered on a Linux machine. This data is used by almost every server app that needs random numbers. It’s collected from hardware interrupts triggered by mice, keyboards, disk drives or I/O devices. Servers usually have neither keyboards nor mice, so the entropy pool receives data from fewer sources.

How does the haveged daemon fill the entropy pool?

The haveged daemon sends small CPU requests and gathers the different responses to fill up the entropy pool. Tests show that servers running the haveged daemon fill up the pool almost instantly.

How will all this affect the server’s performance and your websites?

There are two primary random data feeding sources on every Linux machine – /dev/random and /dev/urandom. The first one waits until the entropy pool is full and then gathers the random data. It’s the default ‘go-to’ for all apps looking for random numbers. The problem is that it works only when the pool is sufficiently full. In comparison,/dev/urandom works even when the pool is nearly empty, but it returns much less random data.

A random data pool that is low on entropy can severely affect the security of the client-server communication, lowering the chance that your data will remain safe from cryptanalysis.

In stark contrast, an entropy pool that fills up fast will increase not only the security of the client-server communication, but also its speed.

Here is a simple test scenario – accessing encrypted data in a MySQL database using the mcrypt PHP extension.

If you want to store encrypted data in a database, the mcrypt PHP extension has to encrypt this data first. To do that, it uses random data from the entropy pool. With a fuller pool, the encryption will be better and the process will be completed faster, resulting in faster database queries. The same applies to the reverse process – accessing already encrypted information.

Our tests show that the same database works about 10 times faster when the server is running the haveged daemon.

The best part is that there are no code changes or data validation modifications required.

admin: