Alternative to -rand option for genpkey

Fri Jan 12 19:49:46 UTC 2024

Regarding the first point: I tried generating two private RSA keys with the "-rand file.dat" option without changing the contents of file.dat. I received two different keys. Therefore I think the file cannot be the only seed. Otherwise the process should be deterministic and the keys should be identical, right?

Thank you for your suggestion. I tried the command:
> openssl genpkey -algorithm ed448 -out private.pem -config config.txt
with config.txt containing
> [random]
> seed = /home/myuser/rand.dat

While the output said "Using configuration from config.txt", I'm not sure if the file was really used to seed the RNG. I tried changing the path for "seed =" to a non-existing file but OpenSSL did not complain (in contrast, if the parameter for -rand does not exist, an error is printed). Could someone confirm that the config.txt is indeed correct? Is there any way to enable a verbose mode to see this?

Raj

12. Jan. 2024, 05:08 von james at openssl.org:

> On 2024-01-11 07:35, Raj via openssl-users wrote:
>
>> When generating private keys with `ecparam` or `genrsa` in OpenSSL, it is possible to use the parameter `-rand file.dat` where file.dat is used as additional seed for the RNG, as far as I understand.
>>
>
> I believe that if you give the option "-rand file.dat", then the RNG is seeded only from file.dat (i.e. it is not an additional seed -- it is the whole seed).
>
>> I would like to generate private Ed448 and Ed25519 keys with an additional random source provided as file. Is there a way to do that? I'm using version 3.1.0 btw.
>>
>
> You could try using a config file:
>
> https://www.openssl.org/docs/manmaster/man5/config.html
>
> Have a look at the "random" section and the info about setting the variable "seed".
>
> -James M
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20240112/0db25b8f/attachment.htm>