When generating random data for use in cryptographic operations, such as an initialization vector for encryption in ~cryptography.hazmat.primitives.ciphers.modes.CBC
mode, you do not want to use the standard random
module APIs. This is because they do not provide a cryptographically secure random number generator, which can result in major security issues depending on the algorithms in use.
Therefore, it is our recommendation to always use your operating system's provided random number generator, which is available as os.urandom
. For example, if you need 16 bytes of random data for an initialization vector, you can obtain them with:
>>> import os >>> iv = os.urandom(16)
This will use /dev/urandom
on UNIX platforms, and CryptGenRandom
on Windows.
If you need your random number as an integer (for example, for ~cryptography.x509.CertificateBuilder.serial_number
), you can use int.from_bytes
to convert the result of os.urandom
:
>>> serial = int.from_bytes(os.urandom(20), byteorder="big")
Starting with Python 3.6 the standard library includes the secrets
module, which can be used for generating cryptographically secure random numbers, with specific helpers for text-based formats.