/dev/urandom is the correct choice for cryptographic randomness on Linux; the common belief that /dev/random is safer is a persistent myth.
Key Takeaways
Both /dev/urandom and /dev/random use the same CSPRNG internally; /dev/random just blocks when its entropy estimate is low.
The entropy “running out” argument is a straw man: ~256 bits of entropy is enough for computationally secure output for a very long time.
Entropy is estimated, not counted precisely; Linux kernels use event arrival time interpolation, making /dev/random’s blocking behavior an unreliable guarantee anyway.
Before Linux 4.8, the CSPRNG was central to both devices, not a fallback; the “pure randomness from /dev/random” mental model was always wrong.
All common crypto algorithms (AES, RSA, Diffie-Hellman) are only computationally secure, so insisting on philosophically “true” random input is internally inconsistent.
