rndctl
—
in-kernel random number generator management tool
rndctl |
[-CcEe ] [-d
devname | -t
devtype] |
rndctl |
[-lsv ] [-d
devname | -t
devtype] |
The rndctl
program displays statistics on the current
state of the rnd(4) pseudo-driver,
and allows the administrator to control which sources are allowed to
contribute to the randomness pool maintained by
rnd(4), as well as whether a given
source counts as strongly random.
The following options are available:
-C
- Disable collection of timing information for the given device name or
device type.
-c
- Enable collection of timing information for the given device name or
device type.
-d
- Only the device named devname is altered or
displayed. This is mutually exclusive with
-t
.
-E
- Disable entropy estimation from the collected timing information for the
given device name or device type. If collection is still enabled, timing
information is still collected and mixed into the internal entropy pool,
but no entropy is assumed to be present.
-e
- Enable entropy estimation using the collected timing information for the
given device name or device type.
-L
- Load saved entropy from file save-file and overwrite
it with a seed derived by hashing it together with output from
/dev/urandom so that the new seed has at least as
much entropy as either the old seed had or the system already has. If
interrupted, either the old seed or the new seed will be in place.
-l
- List all sources, or, if the
-t
or
-d
flags are specified, only those specified by
the devtype or devname
specified.
-S
- Save entropy pool to file save-file. The file format
is specific to
rndctl
and includes an estimate of
the amount of saved entropy and a checksum.
-s
- Display statistics on the current state of the random collection
pool.
-t
- All devices of type devtype are altered or
displayed. This is mutually exclusive with
-d
.
The available types are:
disk
- Physical hard drives.
net
- Network interfaces.
tape
- Tape devices.
tty
- Terminal, mouse, or other user input devices.
rng
- Random number generators.
-v
- Verbose output: show entropy estimation statistics for each source.
- /dev/random
- Returns “good” values only.
- /dev/urandom
- Always returns data, degenerates to a pseudo-random generator.
The rndctl
program was first made available in
NetBSD 1.3.
The rndctl
program was written by
Michael Graff ⟨explorer@flame.org⟩.
Turning on entropy estimation from unsafe or predictable sources will weaken
system security, while turning on entropy collection from such sources may
weaken system security.
Care should be taken when using this command.