RNDCTL(8) | System Manager's Manual | RNDCTL(8) |
rndctl
— kernel
entropy pool management tool
rndctl |
[-CcEe ] [-d
devname | -t
devtype] |
rndctl |
[-lsv ] [-d
devname | -t
devtype] |
rndctl |
[-i ] -L
save-file |
rndctl |
-S save-file |
The rndctl
program displays statistics on
the current state of the rnd(4)
device, and controls which sources are allowed to contribute to the entropy
pool maintained by rnd(4).
The following options are available:
-C
-c
-d
-t
.-E
If collection is still enabled, data is still collected and mixed into the internal entropy pool, but no entropy is assumed to be present and data from the selected devices will not unblock /dev/random.
-e
rndctl -e
does not change the estimate
provided by the driver; if the driver's estimate is zero, as it
generally is for devices of types other than
rng
, it remains zero after
rndctl -e
.
-i
-L
option to load a seed from a file,
ignore any estimate in the file of the entropy of the seed. This still
loads the data into the kernel, but won't unblock
/dev/random even if the file claims to have
adequate entropy. This is useful if the file is on a medium, such as an
NFS share, that the operator does not know to be secret.-L
rndctl -S
. Overwrite it with a seed derived by
hashing it together with output from /dev/urandom
so that the new seed has at least as much entropy as either the old seed
had or the system already has. If interrupted, either the old seed or the
new seed will be in place.-l
-t
or
-d
options are supplied, only those specified by
the devtype or devname.
Details the source, source type, estimated bits, sample count, and
associated source flags. Source flags “t” and/or
“v” may be associated, and indicate time vs. value samples,
respectively. The -v
option expands this output to
include individual details about sample counts and bits per source.-S
rndctl
-L
.
The file format is specific to rndctl
and includes an estimate of the amount of saved entropy and a checksum.
The prior internal state of the system entropy pool cannot be recovered
from save-file, so disclosure of
save-file does not compromise past secrets drawn
from /dev/urandom or equivalent.
-s
-t
-d
.
The available types are:
-v
-l
option.The rndctl
program was first made
available in NetBSD 1.3.
The rndctl
program was written by
Michael Graff
⟨explorer@flame.org⟩.
June 25, 2025 | NetBSD 10.99 |