The s6-fillurandompool program

s6-fillurandompool blocks until the machine's /dev/urandom entropy pool is filled up. Then it exits.




For some reason, Linux has two separate entropy pools: one for /dev/random and one for /dev/urandom.

Reading from /dev/random blocks when its entropy pool is not full enough, so it will never return weak random data. (Reading from /dev/random is overkill anyway, and you should not be doing it.)

However, reading from /dev/urandom (which you should be doing) will not block, even though the entropy pool may not have been initialized yet. That's the only insecure thing about it: at boot time, /dev/urandom may return weak random data, until its entropy pool has filled up.

s6-fillurandompool is meant to address this issue. Call it once early on in your boot scripts, before you need any serious random data; when it exits, the /dev/urandom pool has been properly initialized, and it is now safe to read from /dev/urandom every time you need random data, until the machine shuts down.