1SYSTEMD-RANDOM-SEED.SERVICEs(y8s)temd-random-seed.serSvYiScTeEMD-RANDOM-SEED.SERVICE(8)
2
3
4

NAME

6       systemd-random-seed.service, systemd-random-seed - Load and save the
7       system random seed at boot and shutdown
8

SYNOPSIS

10       systemd-random-seed.service
11
12       /usr/lib/systemd/random-seed
13

DESCRIPTION

15       systemd-random-seed.service is a service that loads an on-disk random
16       seed into the kernel entropy pool during boot and saves it at shutdown.
17       See random(4) for details. By default, no entropy is credited when the
18       random seed is written into the kernel entropy pool, but this may be
19       changed with $SYSTEMD_RANDOM_SEED_CREDIT, see below. On disk the random
20       seed is stored in /var/lib/systemd/random-seed.
21
22       Note that this service runs relatively late during the early boot
23       phase, i.e. generally after the initial RAM disk (initrd) completed its
24       work, and the /var/ file system has been mounted writable. Many system
25       services require entropy much earlier than this — this service is hence
26       of limited use for complex system. It is recommended to use a boot
27       loader that can pass an initial random seed to the kernel to ensure
28       that entropy is available from earliest boot on, for example systemd-
29       boot(7), with its bootctl random-seed functionality.
30
31       When loading the random seed from disk, the file is immediately updated
32       with a new seed retrieved from the kernel, in order to ensure no two
33       boots operate with the same random seed. This new seed is retrieved
34       synchronously from the kernel, which means the service will not
35       complete start-up until the random pool is fully initialized. On
36       entropy-starved systems this may take a while. This functionality is
37       intended to be used as synchronization point for ordering services that
38       require an initialized entropy pool to function securely (i.e. services
39       that access /dev/urandom without any further precautions).
40
41       Care should be taken when creating OS images that are replicated to
42       multiple systems: if the random seed file is included unmodified each
43       system will initialize its entropy pool with the same data, and thus —
44       if otherwise entropy-starved — generate the same or at least guessable
45       random seed streams. As a safety precaution crediting entropy is thus
46       disabled by default. It is recommended to remove the random seed from
47       OS images intended for replication on multiple systems, in which case
48       it is safe to enable entropy crediting, see below. Also see Safely
49       Building Images[1].
50
51       See Random Seeds[2] for further information.
52

ENVIRONMENT

54       $SYSTEMD_RANDOM_SEED_CREDIT
55           By default, systemd-random-seed.service does not credit any entropy
56           when loading the random seed. With this option this behaviour may
57           be changed: it either takes a boolean parameter or the special
58           string "force". Defaults to false, in which case no entropy is
59           credited. If true, entropy is credited if the random seed file and
60           system state pass various superficial concisistency checks. If set
61           to "force" entropy is credited, regardless of these checks, as long
62           as the random seed file exists.
63

SEE ALSO

65       systemd(1), random(4), systemd-boot(7), bootctl(4)
66

NOTES

68        1. Safely Building Images
69           https://systemd.io/BUILDING_IMAGES
70
71        2. Random Seeds
72           https://systemd.io/RANDOM_SEEDS
73
74
75
76systemd 251                                     SYSTEMD-RANDOM-SEED.SERVICE(8)
Impressum