1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
'\" t
.TH "SYSTEMD\-RANDOM\-SEED\&.SERVICE" "8" "" "systemd 255" "systemd-random-seed.service"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
systemd-random-seed.service, systemd-random-seed \- Load and save the OS system random seed at boot and shutdown
.SH "SYNOPSIS"
.PP
systemd\-random\-seed\&.service
.PP
/usr/lib/systemd/systemd\-random\-seed
.SH "DESCRIPTION"
.PP
systemd\-random\-seed\&.service
is a service that loads an on\-disk random seed into the kernel entropy pool during boot and saves it at shutdown\&. See
\fBrandom\fR(4)
for details\&. By default, no entropy is credited when the random seed is written into the kernel entropy pool, but this may be changed with
\fI$SYSTEMD_RANDOM_SEED_CREDIT\fR, see below\&. On disk the random seed is stored in
/var/lib/systemd/random\-seed\&.
.PP
Note that this service runs relatively late during the early boot phase, i\&.e\&. generally after the initrd phase has finished and the
/var/
file system has been mounted\&. Many system services require entropy much earlier than this \(em this service is hence of limited use for complex system\&. It is recommended to use a boot loader that can pass an initial random seed to the kernel to ensure that entropy is available from earliest boot on, for example
\fBsystemd-boot\fR(7), with its
\fBbootctl random\-seed\fR
functionality\&.
.PP
When loading the random seed from disk, the file is immediately updated with a new seed retrieved from the kernel, in order to ensure no two boots operate with the same random seed\&. This new seed is retrieved synchronously from the kernel, which means the service will not complete start\-up until the random pool is fully initialized\&. On entropy\-starved systems this may take a while\&. This functionality is intended to be used as synchronization point for ordering services that require an initialized entropy pool to function securely (i\&.e\&. services that access
/dev/urandom
without any further precautions)\&.
.PP
Care should be taken when creating OS images that are replicated to multiple systems: if the random seed file is included unmodified each system will initialize its entropy pool with the same data, and thus \(em if otherwise entropy\-starved \(em generate the same or at least guessable random seed streams\&. As a safety precaution crediting entropy is thus disabled by default\&. It is recommended to remove the random seed from OS images intended for replication on multiple systems, in which case it is safe to enable entropy crediting, see below\&. Also see
\m[blue]\fBSafely Building Images\fR\m[]\&\s-2\u[1]\d\s+2\&.
.PP
See
\m[blue]\fBRandom Seeds\fR\m[]\&\s-2\u[2]\d\s+2
for further information\&.
.SH "ENVIRONMENT"
.PP
\fI$SYSTEMD_RANDOM_SEED_CREDIT\fR
.RS 4
By default,
systemd\-random\-seed\&.service
does not credit any entropy when loading the random seed\&. With this option this behaviour may be changed: it either takes a boolean parameter or the special string
"force"\&. Defaults to false, in which case no entropy is credited\&. If true, entropy is credited if the random seed file and system state pass various superficial concisistency checks\&. If set to
"force"
entropy is credited, regardless of these checks, as long as the random seed file exists\&.
.sp
Added in version 243\&.
.RE
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1),
\fBrandom\fR(4),
\fBsystemd-boot\fR(7),
\fBsystemd-stub\fR(7),
\fBbootctl\fR(4),
\fBsystemd-boot-random-seed.service\fR(8)
.SH "NOTES"
.IP " 1." 4
Safely Building Images
.RS 4
\%https://systemd.io/BUILDING_IMAGES
.RE
.IP " 2." 4
Random Seeds
.RS 4
\%https://systemd.io/RANDOM_SEEDS
.RE
|
