Skip to content

Clarification on Entropy Sources #3649

New issue
New issue
Open
Open
Clarification on Entropy Sources#3649
@alex27riva

Description

@alex27riva
alex27riva
opened on Oct 26, 2025

Hi everyone,

From the BitBox02 security features page, I see that the entropy sources used during wallet generation are:

  1. A true random number generator on the secure chip
  2. A true random number generator on the microcontroller
  3. A static random number set during factory installation and unique to each BitBox02
  4. Host entropy provided by the app running on the computer (e.g., from /dev/urandom)
  5. A cryptographic hash of the device password

I’d like to request clarification on the 4th point:

Host entropy provided by the app running on your computer, e.g., from /dev/urandom

From my understanding, /dev/urandom has historically been considered less ideal for generating cryptographic material compared to other methods.

I searched the codebase for references to random and found the following function:

import (
	"crypto/rand"
)

// BytesOrPanic returns random bytes of the given length or panics in case of an error.
func BytesOrPanic(length int) []byte {
	bytes := make([]byte, length)
	_, err := rand.Read(bytes)
	if err != nil {
		panic(err)
	}
	return bytes
}

This appears to be correctly implemented, as it panics if an error is returned by rand.Read(bytes).

According to the Go crypto/rand package documentation:

  • On Linux, FreeBSD, Dragonfly, and Solaris, Reader uses getrandom(2).
  • On legacy Linux (< 3.17), Reader opens /dev/urandom on first use.

Therefore, on modern Linux systems, it actually uses the getrandom() syscall.

Additionally, the random(7) man page confirms that, by default, getrandom() draws from the same entropy pool as /dev/urandom.

Since Linux kernel 5.6, both /dev/urandom and getrandom() use a ChaCha20-based CSPRNG to generate random data from this pool, ensuring cryptographically secure output once the pool is initialized.

Given this, the statement that entropy is obtained from /dev/urandom (or equivalently getrandom()) is mostly accurate.

However, I would like to confirm:

  1. Is this level of entropy considered sufficient for secure wallet generation?
  2. In the event that the host system is compromised and provides poor or predictable entropy to the BitBox02 during wallet creation, do the other entropy sources (such as the secure chip’s TRNG, the microcontroller TRNG, and the device password hash) still ensure the overall security of the generated wallet?

Thanks in advance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions