An expert say it's not secure enough only when your device has very little activity (such as headless or embedded device)[1]. But his research was performed a decade ago, so i don't know if it's applicable in 2022. Besides, average customer PC have lots activity including mouse movement, keyboard input and various application which opened on background after you login. So i wouldn't worry about insufficient entropy.


According to research i mentioned earlier, at least 1 minute. Although i'd recommend to do some activity (such as checking system log, perform internet speed test or use file explorer) to increase the entropy instead.


If both live machine and VM has lots of activity and you wait few minutes, i don't see reason why it's not safe.

[1] https://dl.acm.org/doi/10.5555/2362793.2362828