Should I use sync or async crypto.randomBytes in web server app

[nwoltman]

• Node.js Version: >= 4
• OS: any
• Scope: meta
• Module: crypto

crypto.randomBytes() has two signatures:

// sync
const buf = crypto.randomBytes(256);

// async
crypto.randomBytes(256, (err, buf) => {
  if (err) throw err;
  // ...
});

My question is: Is it recommended to use the sync or the async version of crypto.randomBytes() in a web server application?

I'm guessing the answer will boil down to whether or not the sync version will block the process. I found this comment which suggests that the sync version will probably be "instant" when generating small amounts of bytes. So if I always generate, let's say 512 bytes or less, would it be best to use the sync version? Or perhaps even with a small amount of generated bytes the sync version isn't "fast enough" so it would still be better for latency/throughput to use the async version?

[bnoordhuis]

The synchronous version can block to acquire entropy (in theory - it's complicated.) If you want to play it safe, use the asynchronous version.

[nwoltman]

Okay, thank you!