This chapter describes which files and environment variables can be used to change the behaviour of Libgcrypt.
The environment variables considered by Libgcrypt are:
By setting this variable to any value, Libgcrypt is put into FIPS mode at initialization time (see enabling fips mode).
By setting this variable to any value a different algorithm for modular reduction is used for ECC.
These two environment variables are used to enable debug output for
the rndunix entropy gatherer, which is used on systems lacking a
/dev/random device. The value of
GCRYPT_RNDUNIX_DBG is a file
- for stdout. Debug output is the written to this
GCRYPT_RNDUNIX_DBGALL to any value will make the debug
output more verbose.
Setting this environment variable on Windows to any value disables
the use of performance data (
HKEY_PERFORMANCE_DATA) as source
for entropy. On some older Windows systems this could help to speed
up the creation of random numbers but also decreases the amount of
data used to init the random number generator.
Setting the value of this variable to a positive integer logs information about the Windows entropy gatherer using the standard log interface.
This is used to locate the socket to connect to the EGD random daemon. The EGD can be used on system without a /dev/random to speed up the random number generator. It is not needed on the majority of today’s operating systems, and support for EGD requires the use of a configure option at build time.
The files which Libgcrypt uses to retrieve system information and the files which can be created by the user to modify Libgcrypt’s behavior are:
This file can be used to disable the use of hardware based optimizations, see hardware features.
This file can be used to globally change parameters of the random generator. The file is a simple text file where empty lines and lines with the first non white-space character being ’#’ are ignored. Supported options are
Disable the use of the jitter based entropy generator.
Always use the non-blocking /dev/urandom or the respective system call instead of the blocking /dev/random. If Libgcrypt is used early in the boot process of the system, this option should only be used if the system also supports the getrandom system call.
On Linux these files are used to enable FIPS mode, see enabling fips mode.
On Linux running on the ARM architecture, these files are used to read hardware capabilities of the CPU.