openssl-rand

openssl rand [-help] [-out file] [-base64] [-hex] [-engine id] [-rand files] [-writerand file] [-provider name] [-provider-path path] [-propquery propq] num

openssl rand generates a specified number of pseudo-random bytes using a cryptographically secure pseudo-random number generator (CSPRNG). It calls RAND_bytes(3) internally, which provides 256-bit security strength when properly seeded from the operating system's entropy source.The output can be written as raw binary, Base64-encoded, or hexadecimal. Common uses include generating random passwords, encryption keys, initialization vectors, and nonces for cryptographic operations.

-help

Print usage message and exit.

Write output to file instead of standard output.

Encode the output using Base64.

Display the output as a hexadecimal string.

Specify an engine for random generation (deprecated in OpenSSL 3.0).

Specify additional random data source files.

Write random state to file on exit.

Specify the provider to use for random generation.

Path to search for providers.

Property query for provider selection.

The number of random bytes to generate (required).

The command fails with a nonzero exit code if the CSPRNG cannot be properly seeded from the operating system's entropy source. When using -base64, the actual output is larger than num bytes due to Base64 encoding expansion (roughly 4/3 ratio plus line breaks). The -engine option is deprecated as of OpenSSL 3.0 in favor of the provider-based architecture.

openssl rand has been part of OpenSSL since at least version 0.9.x (circa 2000). The -engine option was deprecated in OpenSSL 3.0 (released 2021), which introduced the provider-based architecture as a replacement. OpenSSL itself was started in 1998 as a fork of SSLeay.

openssl(1), openssl-dgst(1)