1RNGD(8) System Manager's Manual RNGD(8)
2
6 rngd - Check and feed random data from hardware device to kernel random
7 device
8
11 rngd [-b, --background] [-f, --foreground] [-d, --debug] [-l, --list]
12 [-x, --exclude] [-n, --include] [-O, --option] [-i, --ignorefail] [-o,
13 --random-device=file] [-p, --pid-file=file] [-r, --rng-device=file]
14 [-s, --random-step=nnn] [-t, --test] [-W, --fill-watermark=nnn] [-R,
15 --force-reseed=nnn] [-q, --quiet] [-?, --help] [-V, --version]
16
19 This daemon feeds data from a random number generator to the kernel's
20 random number entropy pool, after first checking the data to ensure
21 that it is properly random.
22 The -f or --foreground options can be used to tell rngd to avoid fork‐
24 ing on startup. This is typically used for debugging. The -b or
25 --background options, which fork and put rngd into the background auto‐
26 matically, are the default.
27 The -r or --rng-device options can be used to select an alternate
29 source of input, besides the default /dev/hwrng. The -o or --random-
30 device options can be used to select an alternate entropy output
31 device, besides the default /dev/random. Note that this device must
32 support the Linux kernel /dev/random ioctl API.
33
35 -b, --background
36 Become a daemon (default)
37 -f, --foreground
39 Do not fork and become a daemon
40 -d, --debug
42 Enable debug messages
43 -l, --list
45 List the indexes and names of available entropy sources. Exit
46 code when listing sources is 0 if at least 1 entropy source was
47 found and initialized, 1 otherwise.
48 -x, --exclude
50 Disable entropy sources based on index or (shortname) reported
51 from --list option
52 -n, --include
54 Enable entropy sources based on index or (shortname) reported
55 from --list option
56 -O, --option
58 Provide specific config options to individual entropy sources,
59 in the format --option [index|shortname]:key:value. See Entropy
60 Sources section below for indices and source specific options.
61 Note that specifying -O [<index>|<shortname>] will print the
62 available options for that index to the console
63 -p file, --pid-file=file
65 File used for recording daemon PID, and multiple exclusion
66 (default: /var/run/rngd.pid)
67 -i, --ignorefail
69 Ignore repeated fips failures
70 -o file, --random-device=file
72 Kernel device used for random number output (default: /dev/ran‐
73 dom)
74 -r file, --rng-device=file
76 Kernel device used for random number input (default: /dev/hwrng)
77 -s nnn, --random-step=nnn
79 Number of bytes written to random-device at a time (default: 64)
80 -t, --test
82 Enter test mode. In this mode (which implies -f), all generated
83 entropy is discarded and rngd reports the amount of entropy gen‐
84 erated every second
85 -e nnn, --entropy-count=nnn
87 Number of bits to consider random when adding entropy. 1<=e<=8
88 (default: 8)
89 -W n, --fill-watermark=nnn
91 Once we start doing it, feed entropy to random-device until at
92 least fill-watermark bits of entropy are available in its
93 entropy pool. By default, this value is set to 75% of the
94 entropy pool size or 2048 bits if the entropy pool size couldn't
95 be determined. Setting this too high will cause rngd to domi‐
96 nate the contents of the entropy pool. Low values will hurt
97 system performance during entropy starves. Do not set fill-
98 watermark above the size of the entropy pool (usually 4096
99 bits). A value of 0 to this option will cause no watermark to
100 be set.
101 -R n, --force-reseed=nnn
103 For newer kernels which support non-blocking entropy pools, it
104 is still beneficial to periodically add fresh entropy as a
105 reseeding event. --force-reseed defines the number of seconds
106 between which fresh entropy is added to the kernel entropy pool.
107 Defaults to 5 minutes.
108 -q, --quiet
110 Suppress all messages
111 -?, --help
113 Give a short summary of all program options.
114 -V, --version
116 Print program version
117
120 Hardware RNG (hwrng) [Index 0]
121 The Hardware RNG is a generic entropy source that draws entropy
122 from a hardware rng attached by default to /dev/hwrng
123 TPM (tpm) [Index 1]
126 Entropy drawn from on board TPM device. Note this entropy
127 source is deprecated and will be removed soon, as newer tpm
128 devices export entropy via /dev/hwrng, which is collected by the
129 hwrng source above
130 RDRAND/RDSEED (rdrand) [Index 2]
133 Entropy drawn from the RDRAND and RDSEED instructions (x86 only)
134 Options
136 use_aes - select if rdrand is used to seed a cprng to produce
138 entropy, or if all entropy is drawn directly from rdrand
139 instruction (default 0)
140 DARN (darn) [Index 3]
143 Entropy drawn from the DARN instruction (ppc64 only)
144 Options
146 use_aes - select if the power darn instruction is used to
148 directly fill the entropy poll, or if it is used as a periodic
149 seed to an aes based cprng (default 1)
150 NIST Entropy Beacon (nist) [Index 4]
153 Entropy gathered from the NIST network entropy beacon. Note
154 that this entropy source is disabled by default as it should
155 never be used for cryptographic purposes, or any use case in
156 which random data should be known only by a single entity.
157 JITTER (jitter) [Index 5]
160 Entropy gathered by measuring timing variance of operations on
161 the local cpu
162 Options
164 thread_count - Set the number of threads that the jitter
165 entropy source will spawn
166 buffer_size - Set the size of the buffer cache that each thread
168 maintains
169 refill_thresh - Set the low watermark for the cache that trig‐
171 gers its corresponding thread to start refill operations
172 retry_count - If all entropy buffers are empty, retry this many
174 times before giving up. Note that jitterentropy can take sev‐
175 eral seconds to refill a buffer, and so retries after a delay
176 may be preferable to repeatedly spining on an empty buffer
177 (default 1)
178 retry_delay - between each retry for retry_count above, sleep
180 for this many seconds. May also be the special value -1, repre‐
181 senting adaptive sleep, where each retry delay will be half the
182 recorded execution time of the last entropy gathering round
183 (default -1)
184 PKCS11 (pkcs11) [Index 6]
187 Entropy gathered via the opensc openssl engine, which can
188 extract entropy from various smart card readers
189 Options
191 engine_path - Set the patch for the pkcs11 engine DSO to load
192 chunk_size - Some pkcs11 engines have restrictions on how much
194 data can be requested at a time, this option allows for the
195 request to be subdivided into smaller chunks to be satisfied
196 RTLSDR (rtlsdr) [Index 7]
199 Entropy gathered via the rtl software defined radio library,
200 which can gather entropy using various usb software defined
201 radios listening to random radio static
202 Options
204 devid - When multiple devices are available the integer index
205 of the device to use
206 freq_min - The minimum frequence range to scan in
208 freq_max - The maximum frequency range to scan in
210 sample_min - The minimum sample rate of the radio
212 sample_max - The maximum sample rate of the radio
214
217 Philipp Rumpf
218 Jeff Garzik - jgarzik@pobox.com
219 Matt Sottek
220 Brad Hill
221 Neil Horman - nhorman@tuxdriver.com
222rng-tools 6.12 March 2001 RNGD(8)