The kcapi-rng application provides tool to obtain random numbers from the Linux kernel crypto API via the command line. The tool is similar to reading /dev/hwrand with the difference that the used random number generators are fully deterministic - i.e. they are DRNGs.
Any potential seed data can be provided via STDIN. Some of the DRNGs require seeding as they do not seed themselves. The kcapi-rng tool ensures that the DRNGs are seeded by pulling the seed data from the getrandom system call (or /dev/urandom if getrandom is not available). The amount of seed data is defined by the DRNG itself and can be reviewed by assessing /proc/crypto. The seed provided via STDIN will be added to the internally-generated seed. The generated random numbers are written to STDOUT.
The following options are supported when invoking kcapi-rng:
- -b, --bytes BYTES
Generate BYTES number of random bytes.
- -n, --name NAME
The NAME argument specifies the random number generator implementation to be used. The allowed random number generators are defined by the Linux kernel. Currently registered ciphers can be reviewed at /proc/crypto. The content of this file, however, can change when new ciphers are registered. The NAME argument is given directly to the Linux kernel crypto API. The chosen cipher must be of type rng as marked in /proc/crypto. If this option is not used, the cipher stdrng is used as default.
The generated random numbers are print out in hexadecimal notation instead of as binary string.
- -v, --verbose
Enable a verbose operation of kcapi-rng. Using this option multiple times increases the verbosity.
- -q, --quiet
Prevent the generation of any log output.
- -h, --help
Display the help text.
Display the version number of the kcapi-rng application.