Remove All Software Generators

Dmitry Belyavsky beldmit at
Wed Oct 30 14:48:16 UTC 2019

Did you try to create your own RAND_METHOD and set it as default on loading
the engine?

On Wed, Oct 30, 2019 at 5:40 PM Frederick Gotham <cauldwell.thomas at>

> I'm working on Linux with a x86-64 CPU.
> I have a TPM2 chip, and so I want OpenSSL to do all of its encryption
> and random number generation through the TPM2 chip.
> In the event that the chip fails, I do NOT want there to be a backup
> system. I do NOT want any kind of software psuedorandom number generator
> nor any software encryption routines.
> The engine that I'm using for OpenSSL is "". This engine
> library requires two more libraries, "" and
> "". (The former is for using the TPM2 chip, whereas
> the latter is a software simulator).
> As I don't want to have a simulator, I tried simply deleting the
> simulator library, but this caused linkage problems for the mother
> engine library. As an alternative, I made a new dummy library in which
> all of the functions return an error value, and I put this dummy library
> in the place of the simulator. This transplant went fine.
> It appears that OpenSSL will kick and scream and refuse to die not
> matter how hard you hit it. If I try to generate a random number like
> this:
>     openssl rand -hex 8
> Then it seems it will try in this order:
> 1) The TPM2 chip
> 2) The software simulator of the TPM2 chip
> 3) The built-in RDRAND number
> 4) Another one that I can't find
> I have recompiled OpenSSL with the flag OPENSSL_NO_RDRAND to get rid of
> the in-built engine. I have even done "rm /dev/random" and "rm
> /dev/urandom", but SOME HOW, SOME WAY, I'm still getting output when I
> run openssl rand -hex 8.
> How on earth to get OpenSSL to simply give up? I simply cannot have it
> use anything other than my TPM2 chip.
> Frederick

SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list