Regarding the first point: I tried generating two private RSA keys with the "-rand file.dat" option without changing the contents of file.dat. I received two different keys. Therefore I think the file cannot be the only seed. Otherwise the process should be deterministic and the keys should be identical, right?
Thank you for your suggestion. I tried the command:
> openssl genpkey -algorithm ed448 -out private.pem -config config.txt
with config.txt containing
> [random]
> seed = /home/myuser/rand.dat
While the output said "Using configuration from config.txt", I'm not sure if the file was really used to seed the RNG. I tried changing the path for "seed =" to a non-existing file but OpenSSL did not complain (in contrast, if the parameter for -rand does not exist, an error is printed). Could someone confirm that the config.txt is indeed correct? Is there any way to enable a verbose mode to see this?
Raj
12. Jan. 2024, 05:08 von james@xxxxxxxxxxx:
On 2024-01-11 07:35, Raj via openssl-users wrote:When generating private keys with `ecparam` or `genrsa` in OpenSSL, it is possible to use the parameter `-rand file.dat` where file.dat is used as additional seed for the RNG, as far as I understand.I believe that if you give the option "-rand file.dat", then the RNG is seeded only from file.dat (i.e. it is not an additional seed -- it is the whole seed).I would like to generate private Ed448 and Ed25519 keys with an additional random source provided as file. Is there a way to do that? I'm using version 3.1.0 btw.You could try using a config file:https://www.openssl.org/docs/manmaster/man5/config.htmlHave a look at the "random" section and the info about setting the variable "seed".-James M
