1SYSTEMD-RANDOM-SEED.SERVICEs(y8s)temd-random-seed.serSvYiScTeEMD-RANDOM-SEED.SERVICE(8)
2
3
4

NAME

6       systemd-random-seed.service, systemd-random-seed - Load and save the OS
7       system random seed at boot and shutdown
8

SYNOPSIS

10       systemd-random-seed.service
11
12       /usr/lib/systemd/systemd-random-seed
13

DESCRIPTION

15       systemd-random-seed.service is a service that loads an on-disk random
16       seed into the kernel entropy pool during boot and saves it at shutdown.
17       See random(4) for details. By default, no entropy is credited when the
18       random seed is written into the kernel entropy pool, but this may be
19       changed with $SYSTEMD_RANDOM_SEED_CREDIT, see below. On disk the random
20       seed is stored in /var/lib/systemd/random-seed.
21
22       Note that this service runs relatively late during the early boot
23       phase, i.e. generally after the initrd phase has finished and the /var/
24       file system has been mounted. Many system services require entropy much
25       earlier than this — this service is hence of limited use for complex
26       system. It is recommended to use a boot loader that can pass an initial
27       random seed to the kernel to ensure that entropy is available from
28       earliest boot on, for example systemd-boot(7), with its bootctl
29       random-seed functionality.
30
31       When loading the random seed from disk, the file is immediately updated
32       with a new seed retrieved from the kernel, in order to ensure no two
33       boots operate with the same random seed. This new seed is retrieved
34       synchronously from the kernel, which means the service will not
35       complete start-up until the random pool is fully initialized. On
36       entropy-starved systems this may take a while. This functionality is
37       intended to be used as synchronization point for ordering services that
38       require an initialized entropy pool to function securely (i.e. services
39       that access /dev/urandom without any further precautions).
40
41       Care should be taken when creating OS images that are replicated to
42       multiple systems: if the random seed file is included unmodified each
43       system will initialize its entropy pool with the same data, and thus —
44       if otherwise entropy-starved — generate the same or at least guessable
45       random seed streams. As a safety precaution crediting entropy is thus
46       disabled by default. It is recommended to remove the random seed from
47       OS images intended for replication on multiple systems, in which case
48       it is safe to enable entropy crediting, see below. Also see Safely
49       Building Images[1].
50
51       See Random Seeds[2] for further information.
52

ENVIRONMENT

54       $SYSTEMD_RANDOM_SEED_CREDIT
55           By default, systemd-random-seed.service does not credit any entropy
56           when loading the random seed. With this option this behaviour may
57           be changed: it either takes a boolean parameter or the special
58           string "force". Defaults to false, in which case no entropy is
59           credited. If true, entropy is credited if the random seed file and
60           system state pass various superficial concisistency checks. If set
61           to "force" entropy is credited, regardless of these checks, as long
62           as the random seed file exists.
63

SEE ALSO

65       systemd(1), random(4), systemd-boot(7), systemd-stub(7), bootctl(4),
66       systemd-boot-random-seed.service(8)
67

NOTES

69        1. Safely Building Images
70           https://systemd.io/BUILDING_IMAGES
71
72        2. Random Seeds
73           https://systemd.io/RANDOM_SEEDS
74
75
76
77systemd 253                                     SYSTEMD-RANDOM-SEED.SERVICE(8)
Impressum