Yes, we're now running our Black Friday Sale. All Access and Pro are 33% off until 2nd December, 2025:
SecureRandom Generator on Linux – Blocking or Not Blocking?
Last updated: November 20, 2025
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Yes, we're now running our Black Friday Sale. All Access and Pro are 33% off until 2nd December, 2025:
1. Introduction
The availability of good-quality random numbers is crucial for all security and cryptographic applications. Usual pseudo-random number generators provide predictable and repeatable sequences.
In contrast, Java SecureRandom uses algorithms that increase randomness by drawing random numbers from external sources. We call this pool an entropy source. However, if such a source is depleted, we can experience slowness or blocking.
In this tutorial, we’ll talk about blocking and non-blocking algorithms in the context of the Linux system.
2. The Default Algorithm
We can create an instance of SecureRandom using the constructor:
SecureRandom secureRandom = new SecureRandom();The Java Virtual Machine (JVM) then delivers the default algorithm, which is available on any operating system.
The choice depends on the settings in java.security properties file, the JVM option java.security.egd, and existing security providers.
3. Predefined Algorithms
The Java documentation lists standard algorithms that we can use out of the box. We specify a desired algorithm when calling the getInstance() method:
SecureRandom random = SecureRandom.getInstance("NativePRNG");When asking for a particular algorithm, we can receive the NoSuchAlgorithmException if the requested algorithm isn’t present.
Let’s check all predefined algorithms:
public class SecureRandomAvailableAlgorithms {
static String [] algorithmNames = {"NativePRNG", "NativePRNGBlocking", "NativePRNGNonBlocking",
"PKCS11", "SHA1PRNG", "Windows-PRNG"};
public static void main(String[] args) {
for (int i = 0; i < algorithmNames.length; i++)
{
String name = algorithmNames[i];
Boolean isAvailable = true;
try {
SecureRandom random = SecureRandom.getInstance(name);
} catch (NoSuchAlgorithmException e) {
isAvailable = false;
}
System.out.println("Algorithm " + name + (isAvailable ? " is" : " isn't") + " available");
}
}
}The output may look like this (on a Linux machine):
Algorithm NativePRNG is available
Algorithm NativePRNGBlocking is available
Algorithm NativePRNGNonBlocking is available
Algorithm PKCS11 isn't available
Algorithm SHA1PRNG is available
Algorithm Windows-PRNG isn't available4. Linux Notes
The Linux operating system provides two sources of random numbers, /dev/random and /dev/urandom. The former is blocking while the latter is non-blocking.
However, since kernel version 5.19, we don’t need to worry about available entropy. Beyond the early boot stage, we shouldn’t experience blocking during random number generation, regardless we’re using /dev/random or /dev/urandom.
On the other hand, the randomness of the /dev/urandom source became good enough for all practical applications. And it never blocks.
Taking into account the development of the modern Linux system, we can safely use the /dev/urandom device and the corresponding algorithm – NativePRNGNonBlocking.
The above-mentioned changes influenced the way the entropy amount is reported. We can check the entropy_avail kernel parameter for this amount. However, we’ll obtain the same predefined number:
$ sudo sysctl -a | grep entropy_avail
kernel.random.entropy_avail = 256Therefore, we can ignore the guidelines for older kernel versions, which state that this number should remain at around 2000 or 3000.
5. Performance Test
We can check the performance of algorithms with the Java Microbenchmark Harness (JMH) microbenchmarking framework. We’ll compare NativePRNGBlocking and NativePRNGNonBlocking algorithms.
Let’s generate 20,000 random samples of 256 bytes each:
@BenchmarkMode(Mode.AverageTime)
@OutputTimeUnit(TimeUnit.MILLISECONDS)
@State(Scope.Thread)
public class SecureRandomPerformanceTest {
SecureRandom randomNativePRNGBlocking;
SecureRandom randomNativePRNGNonBlocking;
final int NBYTES = 256;
final int NSAMPLES = 20_000;
@Setup(Level.Trial)
public void setup() throws NoSuchAlgorithmException {
randomNativePRNGBlocking = SecureRandom.getInstance("NativePRNGBlocking");
randomNativePRNGNonBlocking = SecureRandom.getInstance("NativePRNGNonBlocking");
}
@Benchmark
public void measureTimePRNGBlocking() {
byte[] randomBytes = new byte[NBYTES];
for (int i = 0; i < NSAMPLES; i++)
{
randomNativePRNGBlocking.nextBytes(randomBytes);
}
}
@Benchmark
public void measureTimePRNGNonBlocking() {
byte[] randomBytes = new byte[NBYTES];
for (int i = 0; i < NSAMPLES; i++)
{
randomNativePRNGNonBlocking.nextBytes(randomBytes);
}
}
public static void main(String[] args) throws Exception {
org.openjdk.jmh.Main.main(args);
}
}Let’s check the results obtained on Ubuntu 22.04.5 LTS with the 6.8.0 kernel version:
Benchmark Mode Cnt Score Error Units
SecureRandomPerformanceTest.measureTimePRNGBlocking avgt 25 95.634 ± 1.769 ms/op
SecureRandomPerformanceTest.measureTimePRNGNonBlocking avgt 25 95.797 ± 1.097 ms/opWe see that random number generation takes around 96 ms for both the blocking and non-blocking versions. The difference in duration between blocking and non-blocking algorithms is very small, within a measurement error.
6. Conclusion
In this article, we discussed how the SecureRandom algorithms use the randomness sources of the Linux operating system. We focused on the possibility of blocking the source by a low entropy level. However, we learned this was very unlikely on any modern Linux system.
In addition, we carried out a simple comparison test, which didn’t show a significant difference in execution time between blocking and non-blocking algorithms.
Finally, we found that the non-blocking version is sufficient for all practical applications.
As always, the code for the examples is available over on GitHub.
