1 .\" Copyright (C) 2008, George Spelvin <linux@horizon.com>,
2 .\" and Copyright (C) 2008, Matt Mackall <mpm@selenic.com>
3 .\" and Copyright (C) 2016, Laurent Georget <laurent.georget@supelec.fr>
4 .\" and Copyright (C) 2016, Nikos Mavrogiannopoulos <nmav@redhat.com>
6 .\" SPDX-License-Identifier: Linux-man-pages-copyleft
8 .\" The following web page is quite informative:
9 .\" http://www.2uo.de/myths-about-urandom/
11 .TH random 7 (date) "Linux man-pages (unreleased)"
13 random \- overview of interfaces for obtaining randomness
15 The kernel random-number generator relies on entropy gathered from
16 device drivers and other sources of environmental noise to seed
17 a cryptographically secure pseudorandom number generator (CSPRNG).
18 It is designed for security, rather than speed.
20 The following interfaces provide access to output from the kernel CSPRNG:
26 devices, both described in
28 These devices have been present on Linux since early times,
29 and are also available on many other systems.
33 system call, available since Linux 3.17.
34 This system call provides access either to the same source as
39 or to the same source as
48 source is selected by specifying the
50 flag to the system call.
53 function provides a slightly more portable interface on top of
56 .SS Initialization of the entropy pool
57 The kernel collects bits of entropy from the environment.
58 When a sufficient number of random bits has been collected, the
59 entropy pool is considered to be initialized.
60 .SS Choice of random source
61 Unless you are doing long-term key generation (and most likely not even
62 then), you probably shouldn't be reading from the
69 Instead, either read from the
76 The cryptographic algorithms used for the
78 source are quite conservative, and so should be sufficient for all purposes.
84 is that the operation can block for an indefinite period of time.
85 Furthermore, dealing with the partially fulfilled
86 requests that can occur when using
90 increases code complexity.
92 .SS Monte Carlo and other probabilistic sampling applications
93 Using these interfaces to provide large quantities of data for
94 Monte Carlo simulations or other programs/algorithms which are
95 doing probabilistic sampling will be slow.
96 Furthermore, it is unnecessary, because such applications do not
97 need cryptographically secure random numbers.
98 Instead, use the interfaces described in this page to obtain
99 a small amount of data to seed a user-space pseudorandom
100 number generator for use by such applications.
102 .SS Comparison between getrandom, /dev/urandom, and /dev/random
103 The following table summarizes the behavior of the various
104 interfaces that can be used to obtain randomness.
106 is a flag that can be used to control the blocking behavior of
108 The final column of the table considers the case that can occur
109 in early boot time when the entropy pool is not yet initialized.
113 lbw13 lbw12 lbw14 lbw18
119 Behavior when pool is not yet ready
126 If entropy too low, blocks until there is enough entropy again
128 Blocks until enough entropy gathered
137 Returns output from uninitialized CSPRNG (may be low entropy and unsuitable for cryptography)
145 Does not block once is pool ready
147 Blocks until pool ready
156 If entropy too low, blocks until there is enough entropy again
158 Blocks until pool ready
167 Does not block once is pool ready
181 if not enough entropy available
188 .SS Generating cryptographic keys
189 The amount of seed material required to generate a cryptographic key
190 equals the effective key size of the key.
191 For example, a 3072-bit RSA
192 or Diffie-Hellman private key has an effective key size of 128 bits
193 (it requires about 2^128 operations to break) so a key generator
194 needs only 128 bits (16 bytes) of seed material from
197 While some safety margin above that minimum is reasonable, as a guard
198 against flaws in the CSPRNG algorithm, no cryptographic primitive
199 available today can hope to promise more than 256 bits of security,
200 so if any program reads more than 256 bits (32 bytes) from the kernel
201 random pool per invocation, or per reasonable reseed interval (not less
202 than one minute), that should be taken as a sign that its cryptography is
204 skillfully implemented.