1RANDOM(4) Linux Programmer's Manual RANDOM(4)
2
3
4
6 random, urandom - kernel random number source devices
7
9 The character special files /dev/random and /dev/urandom (present since
10 Linux 1.3.30) provide an interface to the kernel's random number gener‐
11 ator. File /dev/random has major device number 1 and minor device num‐
12 ber 8. File /dev/urandom has major device number 1 and minor device
13 number 9.
14
15 The random number generator gathers environmental noise from device
16 drivers and other sources into an entropy pool. The generator also
17 keeps an estimate of the number of bits of noise in the entropy pool.
18 From this entropy pool random numbers are created.
19
20 When read, the /dev/random device will only return random bytes within
21 the estimated number of bits of noise in the entropy pool. /dev/random
22 should be suitable for uses that need very high quality randomness such
23 as one-time pad or key generation. When the entropy pool is empty,
24 reads from /dev/random will block until additional environmental noise
25 is gathered.
26
27 A read from the /dev/urandom device will not block waiting for more
28 entropy. As a result, if there is not sufficient entropy in the
29 entropy pool, the returned values are theoretically vulnerable to a
30 cryptographic attack on the algorithms used by the driver. Knowledge
31 of how to do this is not available in the current non-classified liter‐
32 ature, but it is theoretically possible that such an attack may exist.
33 If this is a concern in your application, use /dev/random instead.
34
35 Usage
36 If you are unsure about whether you should use /dev/random or
37 /dev/urandom, then probably you want to use the latter. As a general
38 rule, /dev/urandom should be used for everything except long-lived
39 GPG/SSL/SSH keys.
40
41 If a seed file is saved across reboots as recommended above (all major
42 Linux distributions have done this since 2000 at least), the output is
43 cryptographically secure against attackers without local root access as
44 soon as it is reloaded in the boot sequence, and perfectly adequate for
45 network encryption session keys. Since reads from /dev/random may
46 block, users will usually want to open it in non-blocking mode (or per‐
47 form a read with timeout), and provide some sort of user notification
48 if the desired entropy is not immediately available.
49
50 The kernel random-number generator is designed to produce a small
51 amount of high-quality seed material to seed a cryptographic pseudo-
52 random number generator (CPRNG). It is designed for security, not
53 speed, and is poorly suited to generating large amounts of random data.
54 Users should be very economical in the amount of seed material that
55 they read from /dev/urandom (and /dev/random); unnecessarily reading
56 large quantities of data from this device will have a negative impact
57 on other users of the device.
58
59 The amount of seed material required to generate a cryptographic key
60 equals the effective key size of the key. For example, a 3072-bit RSA
61 or Diffie-Hellman private key has an effective key size of 128 bits (it
62 requires about 2^128 operations to break) so a key generator only needs
63 128 bits (16 bytes) of seed material from /dev/random.
64
65 While some safety margin above that minimum is reasonable, as a guard
66 against flaws in the CPRNG algorithm, no cryptographic primitive avail‐
67 able today can hope to promise more than 256 bits of security, so if
68 any program reads more than 256 bits (32 bytes) from the kernel random
69 pool per invocation, or per reasonable re-seed interval (not less than
70 one minute), that should be taken as a sign that its cryptography is
71 not skilfully implemented.
72
73 Configuration
74 If your system does not have /dev/random and /dev/urandom created
75 already, they can be created with the following commands:
76
77 mknod -m 644 /dev/random c 1 8
78 mknod -m 644 /dev/urandom c 1 9
79 chown root:root /dev/random /dev/urandom
80
81 When a Linux system starts up without much operator interaction, the
82 entropy pool may be in a fairly predictable state. This reduces the
83 actual amount of noise in the entropy pool below the estimate. In
84 order to counteract this effect, it helps to carry entropy pool infor‐
85 mation across shut-downs and start-ups. To do this, add the following
86 lines to an appropriate script which is run during the Linux system
87 start-up sequence:
88
89 echo "Initializing random number generator..."
90 random_seed=/var/run/random-seed
91 # Carry a random seed from start-up to start-up
92 # Load and then save the whole entropy pool
93 if [ -f $random_seed ]; then
94 cat $random_seed >/dev/urandom
95 else
96 touch $random_seed
97 fi
98 chmod 600 $random_seed
99 poolfile=/proc/sys/kernel/random/poolsize
100 [ -r $poolfile ] && bytes=`cat $poolfile` || bytes=512
101 dd if=/dev/urandom of=$random_seed count=1 bs=$bytes
102
103 Also, add the following lines in an appropriate script which is run
104 during the Linux system shutdown:
105
106 # Carry a random seed from shut-down to start-up
107 # Save the whole entropy pool
108 echo "Saving random seed..."
109 random_seed=/var/run/random-seed
110 touch $random_seed
111 chmod 600 $random_seed
112 poolfile=/proc/sys/kernel/random/poolsize
113 [ -r $poolfile ] && bytes=`cat $poolfile` || bytes=512
114 dd if=/dev/urandom of=$random_seed count=1 bs=$bytes
115
116 /proc Interface
117 The files in the directory /proc/sys/kernel/random (present since
118 2.3.16) provide an additional interface to the /dev/random device.
119
120 The read-only file entropy_avail gives the available entropy. Nor‐
121 mally, this will be 4096 (bits), a full entropy pool.
122
123 The file poolsize gives the size of the entropy pool. The semantics of
124 this file vary across kernel versions:
125
126 Linux 2.4: This file gives the size of the entropy pool in
127 bytes. Normally, this file will have the value 512,
128 but it is writable, and can be changed to any value
129 for which an algorithm is available. The choices
130 are 32, 64, 128, 256, 512, 1024, or 2048.
131
132 Linux 2.6: This file is read-only, and gives the size of the
133 entropy pool in bits. It contains the value 4096.
134
135 The file read_wakeup_threshold contains the number of bits of entropy
136 required for waking up processes that sleep waiting for entropy from
137 /dev/random. The default is 64. The file write_wakeup_threshold con‐
138 tains the number of bits of entropy below which we wake up processes
139 that do a select(2) or poll(2) for write access to /dev/random. These
140 values can be changed by writing to the files.
141
142 The read-only files uuid and boot_id contain random strings like
143 6fd5a44b-35f4-4ad4-a9b9-6b9be13e1fe9. The former is generated afresh
144 for each read, the latter was generated once.
145
147 /dev/random
148 /dev/urandom
149
151 mknod (1)
152 RFC 1750, "Randomness Recommendations for Security"
153
155 This page is part of release 3.22 of the Linux man-pages project. A
156 description of the project, and information about reporting bugs, can
157 be found at http://www.kernel.org/doc/man-pages/.
158
159
160
161Linux 2008-06-20 RANDOM(4)