Your best shot at getting randomness is monitoring timing differences between keystrokes, mouse positions, keystrokes, timing between mouse movements, your screen, disk access times etc, and taking the hash of all of it. Then repeating that process constantly. Something like this is how your operating system gets randomness anyway. I don't know if this is random enough for a OTP, but it is random enough for you to use for other cryptographic algorithms, or at least it is what you have to work with anyway. Actually many modern CPU's have their own RNG's built into hardware, although I am not sure the specifics of how these RNGs work, something with thermal noise. Actually even a microphone input can be used to generate random numbers quite well. The cool thing about (many? all? definitely some.) cryptographic hashing algorithms is that they can distill and uniformly distribute randomness. If you have fifty megabytes of data which has three bits of randomness total contained within it, the cryptographic hash of the fifty megabytes of data will also contain three bits of randomness. A SHA256 output is always 256 bits, so if you hash 50 megabytes with 3 bits of randomness, the output is 256 bits 3 of which are random. Cryptographic hashing algorithms also evenly distribute the randomness of their input into their output. If a fifty megabyte file that starts with one random byte and is followed by only non-random bytes, the cryptographic hash value of the file will contain one byte of randomness equally distributed throughout it. So in summary I am less concerned about the ability to generate randomness than I am with the problem of sharing the generated randomness between the people who would use it for a one time pad. to rip off XKCD.... Why not just 'randomly' type on the keyboard until you have hit a thousand keys, and then take the SHA 256 hash value of the output? Most estimates say that English has one bit of randomness per character, so it seems safe to assume that your output is a truly random 256 bit number. 19c41bf387172d7eb28fe1997af60a1e8a9b22bc56f01a772cccd6cbde8f84ef is the SHA 256 value of the previous sentence, I think it is probably 256 bits of randomness, since English prose contains about one bit of randomness per character and the sentence was 289 characters long. A. Pounding on my keyboard and hashing the result is probably a good enough source of randomness for a OTP. B. That doesn't solve the problem of key exchange, which is the real issue.