RNDCTL(8) System Manager's Manual RNDCTL(8)

rndctlkernel entropy pool management tool

rndctl [-CcEe] [-d devname | -t devtype]

rndctl [-lsv] [-d devname | -t devtype]

rndctl [-i] -L save-file

rndctl -S save-file

The rndctl program displays statistics on the current state of the rnd(4) device, and controls which sources are allowed to contribute to the entropy pool maintained by rnd(4).

The following options are available:

Disable collection of data for the given device name or device type.
Enable collection of data for the given device name or device type.
Only the device named devname is altered or displayed. This is mutually exclusive with -t.
Ignore estimates of entropy from the drivers for the given device name or type.

If collection is still enabled, data is still collected and mixed into the internal entropy pool, but no entropy is assumed to be present and data from the selected devices will not unblock /dev/random.

Accept estimates of entropy from the drivers for the given device name or type.

rndctl -e does not change the estimate provided by the driver; if the driver's estimate is zero, as it generally is for devices of types other than rng, it remains zero after rndctl -e.

With the -L option to load a seed from a file, ignore any estimate in the file of the entropy of the seed. This still loads the data into the kernel, but won't unblock /dev/random even if the file claims to have adequate entropy. This is useful if the file is on a medium, such as an NFS share, that the operator does not know to be secret.
Load a seed from save-file generated by rndctl -S. Overwrite it with a seed derived by hashing it together with output from /dev/urandom so that the new seed has at least as much entropy as either the old seed had or the system already has. If interrupted, either the old seed or the new seed will be in place.
List all sources, or, if the -t or -d options are supplied, only those specified by the devtype or devname. Details the source, source type, estimated bits, sample count, and associated source flags. Source flags “t” and/or “v” may be associated, and indicate time vs. value samples, respectively. The -v option expands this output to include individual details about sample counts and bits per source.
Generate a seed from the system entropy pool and save it to save-file for later use with rndctl -L.

The file format is specific to rndctl and includes an estimate of the amount of saved entropy and a checksum. The prior internal state of the system entropy pool cannot be recovered from save-file, so disclosure of save-file does not compromise past secrets drawn from /dev/urandom or equivalent.

Display statistics on the current state of the entropy pool.
All devices of type devtype are altered or displayed. This is mutually exclusive with -d.

The available types are:

Physical hard drives.
Network interfaces.
Tape devices.
Terminal, mouse, or other user input devices.
Hardware random number generators.
Verbose output, increases the detail provided by the -l option.

rnd(4), entropy(7), rnd(9)

The rndctl program was first made available in NetBSD 1.3.

The rndctl program was written by Michael Graff ⟨explorer@flame.org⟩.

June 25, 2025 NetBSD 10.99