Is `crypto.randomInt()` cryptographically secure?

I am looking for a good way to generate secure random numbers in Node.js. One answer that I have found and am using is crypto.randomInt(). Is this method cryptographically secure? Are there better options?

Answer

The crypto module provides cryptographic functionality that includes a set of wrappers for OpenSSL’s hash, HMAC, cipher, decipher, sign, and verify functions.

So yes, you’d expect that this is secure, assuming that OpenSSL’s random number generator is secure. There are very specific circumstances where the OS doesn’t provide enough randomness which may mean that the OpenSSL random number generator is not well seeded. However, on a normal PC / server you’d expect it to be secure.

As always, you cannot create entropy using a deterministic system. So you should always make sure that a well seeded system random is available for the particular runtime. For VM’s that generally means installing the client extensions, for instance, so that the hosts random pool can be accessed.