Running out of entropy

Some of our services make a million UUIDs per day. I have recently been worried about how random they are, and especially with the question are we creating duplicates? I use Java's java.util.UUID.randomUUID() to create the UUIDs. These are created using random data from /dev/urandom. I have been told that /dev/urandom never blocks and never runs out of randomness. I find this hard to believe.

You check on how many bytes of entropy are available using

    cat /proc/sys/kernel/random/entropy_avail

Our counts are always less than 200. That is not enough. And so my concern is that I have a system that depends on random UUIDs that does not have enough entropy and so, so as not to block, it is using math to get randomness. I don't trust math randomness.

I don't yet have the full picture yet. Hopefully I will soon.

See Check available entropy in Linux.

No comments: