1SYSTEMD-RANDOM-SEED.SERVICEs(y8s)temd-random-seed.serSvYiScTeEMD-RANDOM-SEED.SERVICE(8)
2
3
4
6 systemd-random-seed.service, systemd-random-seed - Load and save the
7 system random seed at boot and shutdown
8
10 systemd-random-seed.service
11
12 /usr/lib/systemd/random-seed
13
15 systemd-random-seed.service is a service that loads an on-disk random
16 seed into the kernel entropy pool during boot and saves it at shutdown.
17 See random(4) for details. By default, no entropy is credited when the
18 random seed is written into the kernel entropy pool, but this may be
19 changed with $SYSTEMD_RANDOM_SEED_CREDIT, see below. On disk the random
20 seed is stored in /var/lib/systemd/random-seed.
21
22 Note that this service runs relatively late during the early boot
23 phase, i.e. generally after the initial RAM disk (initrd) completed its
24 work, and the /var/ file system has been mounted writable. Many system
25 services require entropy much earlier than this — this service is hence
26 of limited use for complex system. It is recommended to use a boot
27 loader that can pass an initial random seed to the kernel to ensure
28 that entropy is available from earliest boot on, for example systemd-
29 boot(7), with its bootctl random-seed functionality.
30
31 When loading the random seed from disk, the file is immediately updated
32 with a new seed retrieved from the kernel, in order to ensure no two
33 boots operate with the same random seed. This new seed is retrieved
34 synchronously from the kernel, which means the service will not
35 complete start-up until the random pool is fully initialized. On
36 entropy-starved systems this may take a while. This functionality is
37 intended to be used as synchronization point for ordering services that
38 require an initialized entropy pool to function securely (i.e. services
39 that access /dev/urandom without any further precautions).
40
41 Care should be taken when creating OS images that are replicated to
42 multiple systems: if the random seed file is included unmodified each
43 system will initialize its entropy pool with the same data, and thus —
44 if otherwise entropy-starved — generate the same or at least guessable
45 random seed streams. As a safety precaution crediting entropy is thus
46 disabled by default. It is recommended to remove the random seed from
47 OS images intended for replication on multiple systems, in which case
48 it is safe to enable entropy crediting, see below. Also see Safely
49 Building Images[1].
50
51 See Random Seeds[2] for further information.
52
54 $SYSTEMD_RANDOM_SEED_CREDIT
55 By default, systemd-random-seed.service does not credit any entropy
56 when loading the random seed. With this option this behaviour may
57 be changed: it either takes a boolean parameter or the special
58 string "force". Defaults to false, in which case no entropy is
59 credited. If true, entropy is credited if the random seed file and
60 system state pass various superficial concisistency checks. If set
61 to "force" entropy is credited, regardless of these checks, as long
62 as the random seed file exists.
63
65 systemd(1), random(4), systemd-boot(7), bootctl(4)
66
68 1. Safely Building Images
69 https://systemd.io/BUILDING_IMAGES
70
71 2. Random Seeds
72 https://systemd.io/RANDOM_SEEDS
73
74
75
76systemd 251 SYSTEMD-RANDOM-SEED.SERVICE(8)