While trying to reproduce a problem with the gcrypt remote, I found that the encryption step can hand on this gpg command:

gpg --batch --no-tty --use-agent --quiet --trust-model always --gen-random --armor 2 512

I think that "depletes the entropy pool", as witnessed by the state of the kernel entropy pool in /proc/sys/kernel/random/entropy_avail. As it turns out, --gen-random 2 reads bytes from /dev/random and, indeed, by default that pool is 4096 bits large so the above command completely drains that pool to zero because it creates a 4096 bit (512 bytes * 8) key. It can take several minutes to "refill" the pool, which means batch-creating keys like this can take forever and also have an impact on other components of the system which rely on the kernel random number generator.

Using /dev/random in that way is a somewhat controversial practice. Indeed, some people recommend using urandom for all purposes, including secret key material generation.

From what I understand urandom and random basically use the same entropy source on Linux: the only difference is the latter blocks when it "thinks" it does not have enough entropy. But this (running out of entropy, not "thinking" that we do) basically never happens on Linux systems unless we are on the very first boot after an install. Because it's unlikely that git-annex will run on such an environment, I would discourage the use of --gen-random 2 in git-annex.

I strangely could not find out where exactly gpg is called in that way. All i could find was Util.Gpg.genRandom but that seems to hardcode --gen-random 1, not 2, so I don't exactly know what's going on here. But I'm pretty sure it's git-annex calling it:

anarcat  12745  0.3  0.2 1074098148 36304 pts/6 Sl+ 13:34   0:00              \_ /usr/bin/git-annex initremote encrypted type=gcrypt gitrepo=/home/anarcat/tmp/b keyid=8DC901CE64146C048AD50FBB792152527B75921E
anarcat  12753  0.0  0.0  16028  3652 pts/6    S+   13:34   0:00                  \_ git --git-dir=.git --work-tree=. --literal-pathspecs cat-file --batch
anarcat  12754  0.0  0.0  16028  3308 pts/6    S+   13:34   0:00                  \_ git --git-dir=.git --work-tree=. --literal-pathspecs cat-file --batch-check=%(objectname) %(objecttype) %(objectsize)
anarcat  12756  0.0  0.0  33476  3784 pts/6    SL+  13:34   0:00                  \_ gpg --batch --no-tty --use-agent --quiet --trust-model always --gen-random --armor 2 512

I was hoping this was something git-remote-gcrypt would be doing, but it's not: this is git-annex calling. Maybe some off-by-one conversion error somewhere?

Thank you for your time... -- anarcat

closing --Joey