Configuration (The Libgcrypt Reference Manual)

16 Configuration files and environment variables

This chapter describes which files and environment variables can be used to change the behaviour of Libgcrypt.

The environment variables considered by Libgcrypt are:

LIBGCRYPT_FORCE_FIPS_MODE: By setting this variable to any value, Libgcrypt is put into FIPS mode at initialization time (see enabling fips mode).
GCRYPT_BARRETT: By setting this variable to any value a different algorithm for modular reduction is used for ECC.
GCRYPT_RNDUNIX_DBG
GCRYPT_RNDUNIX_DBGALL: These two environment variables are used to enable debug output for the rndunix entropy gatherer, which is used on systems lacking a /dev/random device. The value of GCRYPT_RNDUNIX_DBG is a file name or - for stdout. Debug output is the written to this file. Setting GCRYPT_RNDUNIX_DBGALL to any value will make the debug output more verbose.
GCRYPT_RNDW32_NOPERF: Setting this environment variable on Windows to any value disables the use of performance data (HKEY_PERFORMANCE_DATA) as source for entropy. On some older Windows systems this could help to speed up the creation of random numbers but also decreases the amount of data used to init the random number generator.
GCRYPT_RNDW32_DBG: Setting the value of this variable to a positive integer logs information about the Windows entropy gatherer using the standard log interface.
HOME: This is used to locate the socket to connect to the EGD random daemon. The EGD can be used on system without a /dev/random to speed up the random number generator. It is not needed on the majority of today’s operating systems, and support for EGD requires the use of a configure option at build time.

The files which Libgcrypt uses to retrieve system information and the files which can be created by the user to modify Libgcrypt’s behavior are:

/etc/gcrypt/hwf.deny

This file can be used to disable the use of hardware based optimizations, see hardware features.

/etc/gcrypt/random.conf

This file can be used to globally change parameters of the random generator. The file is a simple text file where empty lines and lines with the first non white-space character being ’#’ are ignored. Supported options are

disable-jent: Disable the use of the jitter based entropy generator.
only-urandom: Always use the non-blocking /dev/urandom or the respective system call instead of the blocking /dev/random. If Libgcrypt is used early in the boot process of the system, this option should only be used if the system also supports the getrandom system call.

/etc/gcrypt/fips_enabled

/proc/sys/crypto/fips_enabled

On Linux these files are used to enable FIPS mode, see enabling fips mode.

/proc/cpuinfo

/proc/self/auxv

On Linux running on the ARM architecture, these files are used to read hardware capabilities of the CPU.