openssl-rand.1ossl - Man Page

generate pseudo-random bytes

Synopsis

openssl rand [-help] [-out file] [-base64] [-hex] [-engine id] [-rand files] [-writerand file] [-provider name] [-provider-path path] [-provparam [name:]key=value] [-propquery propq] num[K|M|G|T]

Description

This command generates num random bytes using a cryptographically secure pseudo random number generator (CSPRNG). A suffix [K|M|G|T] may be appended to the num value to indicate the requested value be scaled as a multiple of KiB/MiB/GiB/TiB respectively. Note that suffixes are case sensitive, and that the suffixes represent binary multiples (K = 1024 bytes, M = 1024*1024 bytes, etc).

The string 'max' may be substituted for a numerical value in num, to request the maximum number of bytes the CSPRNG can produce per instantiation.  Currently, this is restricted to 2^61 bytes as per NIST SP 800-90C.

The random bytes are generated using the RAND_bytes(3) function, which provides a security level of 256 bits, provided it managed to seed itself successfully from a trusted operating system entropy source. Otherwise, the command will fail with a nonzero error code. For more details, see RAND_bytes(3), RAND(7), and EVP_RAND(7).

Options

-help

Print out a usage message.

-out file

Write to file instead of standard output.

-base64

Perform base64 encoding on the output.

-hex

Show the output as a hex string.

-engine id

See "Engine Options" in openssl(1). This option is deprecated.

-rand files, -writerand file

See "Random State Options" in openssl(1) for details.

-provider name
-provider-path path
-provparam [name:]key=value
-propquery propq

See "Provider Options" in openssl(1), provider(7), and property(7).

See Also

openssl(1), RAND_bytes(3), RAND(7), EVP_RAND(7)

History

The -engine option was deprecated in OpenSSL 3.0.

Referenced By

openssl.1ossl(1), openssl-cmds.1ossl(1).

2025-04-15 3.5.0 OpenSSL