Skip to content

Random Number Generators

TeskaLabs SeaCat PKI uses software random number generators (RNG) by default, specifically Python secrets module, respectively OpenSSL RNG functions. TeskaLabs SeaCat PKI also supports hardware random number generators (RNG) via PKCS#11.

Warning

Hardware RNGs are used only for certain cryptographic operations, e.g. key generation. Software keys (if used) are generated using software RNG.

Configuration of the PKCS#11 RNG provider

Snipplet from seacatpki.conf:

[seacatpki:pkcs11:myhsm]
path=/usr/lib/softhsm/myhsm.dylib

[seacatpki:random]
provider=pkcs11:myhsm
token_label=RNGToken
pin=<PIN>
  • provider is the identification of the provider, prefixed with pkcs11: means that the provider is a PKCS#11 token
  • token_label is the label of the token within the provider
  • pin is the PIN of the token (optional, if the token is already configured)

Tip

Dedicated PKCS#11 token for Random Number Generator is recommended.