https://pytroubles.com/en/posts/id2342-can-python-use-cpu-trng-use-the-secrets-module-for-os-backed-randomness-instead-of-prngs

Can Python use CPU TRNG? Use the secrets module for OS-backed randomness instead of PRNGs

Python secrets for OS-backed randomness: TRNG vs PRNG, CPU RNG (RDRAND/RDRND), and secure keys

Can Python use CPU TRNG? Use the secrets module for OS-backed randomness instead of PRNGs

Learn how Python accesses OS-backed randomness via the secrets module. Understand TRNG vs PRNG, CPU sources, and generate secure tokens for cryptographic use.

2025-12-08T09:00:11+03:00

2025-12-08T09:00:12+03:00

Can Python tap a CPU’s true random source, or is it stuck with PRNGs forever? The short answer is that Python exposes the operating system’s strongest randomness via the secrets module. Whether that ultimately qualifies as “true random” depends on definitions and what your OS chooses to mix in from the hardware. Let’s walk through what this means in practice and how to write code that does the right thing.Context: TRNG vs PRNG on modern CPUs and in PythonIt’s common to start with a software-only generator and quickly discover its limits. True RNG (TRNG) in a pure software program is often described as impossible. At the same time, modern CPUs add hardware features. Intel CPUs starting from Ivy Bridge (3rd generation) support RDRND, described as using thermal noise from processor circuits to generate random numbers. AMD modern CPUs also support RDRND starting from AMD FX “Bulldozer” (2011), with TRNG support akin to Intel’s feature. The practical question then becomes: can a Python program access this hardware-backed randomness directly, without relying on external services?Problem example: using a PRNG in PythonThe ubiquitous random module is a pseudo-random number generator. Here is a minimal snippet that demonstrates the pattern many projects start with:import random as rnd values_batch = [rnd.randint(0, 100) for _ in range(10)] print("10 Random Numbers:") print(values_batch) This produces numbers, but they are generated by a PRNG. The question is how to switch to a source suitable for security-sensitive or cryptographic use.What the secrets module guaranteesPython 3.6 introduced the secrets module. Its purpose is to surface the operating system’s best available randomness in a simple, portable way. As stated in the official description:The secrets module provides access to the most secure source of randomness that your operating system provides.In other words, Python delegates to the OS, and the OS aggregates its strongest entropy sources. According to the discussion, most operating systems will use CPU randomizer sources, in addition to others, in their cryptographically secure random number generator, and these will in turn be used by the Python secrets module. There are also views that question whether specific OSes will directly use CPU features like RDRND; others claim that Linux, Windows, and MacOS will use CPU randomizers if present. Defining a strict “true random number generator” is itself hard, and this disagreement underscores that the label can be more philosophical than practical for application code.Solution: use OS-backed randomness via secretsFor Python developers the actionable guidance is straightforward: use secrets when you need cryptographic-quality random values. It gives you the strongest randomness your platform offers without tying your code to a particular CPU instruction or kernel configuration.import secrets as sec secure_batch = [sec.randbelow(101) for _ in range(10)] print("10 OS-backed random numbers:") print(secure_batch) This mirrors the original goal—ten integers in the range 0 to 100—in a way that leverages the OS’s most secure source of randomness. Whether the OS internally folds in CPU features such as RDRND may vary, and opinions differ; what remains consistent is that secrets is designed for security-sensitive randomness, unlike PRNG-oriented approaches.Why this mattersFor authentication tokens, cryptographic keys, and any workflow where predictability is a risk, the difference between a PRNG and an OS-backed secure source is critical. With secrets, Python code avoids pitfalls tied to deterministic generators and avoids hard dependencies on specific hardware features. The module abstracts away how the OS collects entropy while aiming for the strongest source available on that system.TakeawaysIf you need unpredictable values in Python, reach for secrets rather than random. It delegates the hard work to the operating system and, in many environments, incorporates CPU-provided randomness alongside other sources. Whether this qualifies as “true random” is debated and depends on how you define TRNG, but for practical software and security engineering, the secrets module is the right tool.

Python randomness, secrets module, TRNG vs PRNG, OS-backed randomness, CPU randomness, RDRAND, RDRND, cryptographically secure, secure tokens, authentication, cryptographic keys

2025

2025, Dec 08 09:00

Python secrets for OS-backed randomness: TRNG vs PRNG, CPU RNG (RDRAND/RDRND), and secure keys

Learn how Python accesses OS-backed randomness via the secrets module. Understand TRNG vs PRNG, CPU sources, and generate secure tokens for cryptographic use.

Context: TRNG vs PRNG on modern CPUs and in Python

It’s common to start with a software-only generator and quickly discover its limits. True RNG (TRNG) in a pure software program is often described as impossible. At the same time, modern CPUs add hardware features. Intel CPUs starting from Ivy Bridge (3rd generation) support RDRND, described as using thermal noise from processor circuits to generate random numbers. AMD modern CPUs also support RDRND starting from AMD FX “Bulldozer” (2011), with TRNG support akin to Intel’s feature. The practical question then becomes: can a Python program access this hardware-backed randomness directly, without relying on external services?

Problem example: using a PRNG in Python

The ubiquitous random module is a pseudo-random number generator. Here is a minimal snippet that demonstrates the pattern many projects start with:

import random as rnd
values_batch = [rnd.randint(0, 100) for _ in range(10)]
print("10 Random Numbers:")
print(values_batch)

This produces numbers, but they are generated by a PRNG. The question is how to switch to a source suitable for security-sensitive or cryptographic use.

What the secrets module guarantees

Python 3.6 introduced the secrets module. Its purpose is to surface the operating system’s best available randomness in a simple, portable way. As stated in the official description:

The secrets module provides access to the most secure source of randomness that your operating system provides.

In other words, Python delegates to the OS, and the OS aggregates its strongest entropy sources. According to the discussion, most operating systems will use CPU randomizer sources, in addition to others, in their cryptographically secure random number generator, and these will in turn be used by the Python secrets module. There are also views that question whether specific OSes will directly use CPU features like RDRND; others claim that Linux, Windows, and MacOS will use CPU randomizers if present. Defining a strict “true random number generator” is itself hard, and this disagreement underscores that the label can be more philosophical than practical for application code.

Solution: use OS-backed randomness via secrets

For Python developers the actionable guidance is straightforward: use secrets when you need cryptographic-quality random values. It gives you the strongest randomness your platform offers without tying your code to a particular CPU instruction or kernel configuration.

import secrets as sec
secure_batch = [sec.randbelow(101) for _ in range(10)]
print("10 OS-backed random numbers:")
print(secure_batch)

This mirrors the original goal—ten integers in the range 0 to 100—in a way that leverages the OS’s most secure source of randomness. Whether the OS internally folds in CPU features such as RDRND may vary, and opinions differ; what remains consistent is that secrets is designed for security-sensitive randomness, unlike PRNG-oriented approaches.

Why this matters

For authentication tokens, cryptographic keys, and any workflow where predictability is a risk, the difference between a PRNG and an OS-backed secure source is critical. With secrets, Python code avoids pitfalls tied to deterministic generators and avoids hard dependencies on specific hardware features. The module abstracts away how the OS collects entropy while aiming for the strongest source available on that system.

Takeaways

If you need unpredictable values in Python, reach for secrets rather than random. It delegates the hard work to the operating system and, in many environments, incorporates CPU-provided randomness alongside other sources. Whether this qualifies as “true random” is debated and depends on how you define TRNG, but for practical software and security engineering, the secrets module is the right tool.

python random trng