diff --git a/CMakeLists.txt b/CMakeLists.txt
index c64bfee..411d8c7 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -27,6 +27,7 @@ set(SOURCES
     src/se050_wireguard_proto.c
     src/se050_tai64n_hw.c
     src/se050_wireguard.c
+    src/se050_wireguard_se050_rng.c
 )
 
 # Create library
diff --git a/include/se050_wireguard.h b/include/se050_wireguard.h
index dfa4927..999d945 100644
--- a/include/se050_wireguard.h
+++ b/include/se050_wireguard.h
@@ -170,12 +170,32 @@ int se050_wireguard_compute_mac2(se050_wireguard_session_t *session,
 /**
  * @brief Generate a new WireGuard keypair
  * 
+ * Uses system RNG (/dev/urandom on POSIX).
+ * For SE050 hardware RNG, use se050_wireguard_generate_keypair_se050().
+ * 
  * @param private_key Output: private key (32 bytes)
  * @param public_key Output: public key (32 bytes)
  * @return 0 on success, -1 on error
  */
 int se050_wireguard_generate_keypair(uint8_t *private_key, uint8_t *public_key);
 
+/**
+ * @brief Generate WireGuard keypair using SE050 hardware RNG
+ * 
+ * This function uses the SE050 chip's built-in True Random Number Generator
+ * for cryptographically secure key generation.
+ * 
+ * @param session SE050 session context (initialized via se050_session_init())
+ * @param private_key Output: private key (32 bytes)
+ * @param public_key Output: public key (32 bytes)
+ * @return 0 on success, -1 on error
+ */
+#ifdef SE050_ENABLED
+int se050_wireguard_generate_keypair_se050(se050_session_ctx_t *session,
+                                           uint8_t *private_key, 
+                                           uint8_t *public_key);
+#endif
+
 /* =========================================================================
  * Constants
  * ========================================================================= */
diff --git a/src/se050_wireguard.c b/src/se050_wireguard.c
index ebbc887..c3134b5 100644
--- a/src/se050_wireguard.c
+++ b/src/se050_wireguard.c
@@ -400,6 +400,32 @@ static int simple_rng(uint8_t *out, size_t len, void *ctx)
 }
 #endif
 
+/* System RNG fallback (uses /dev/urandom on POSIX) */
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+static int system_rng(uint8_t *out, size_t len, void *ctx)
+{
+    int fd = open("/dev/urandom", O_RDONLY);
+    if (fd < 0) {
+        return -1;
+    }
+    
+    size_t total = 0;
+    while (total < len) {
+        ssize_t n = read(fd, out + total, len - total);
+        if (n < 0) {
+            close(fd);
+            return -1;
+        }
+        total += n;
+    }
+    
+    close(fd);
+    return 0;
+}
+
 int se050_wireguard_generate_keypair(uint8_t *private_key, uint8_t *public_key)
 {
     if (!private_key || !public_key) {
@@ -414,14 +440,10 @@ int se050_wireguard_generate_keypair(uint8_t *private_key, uint8_t *public_key)
         return -1;
     }
 #else
-    /* Production: use secure RNG */
-    /* This would integrate with platform-specific RNG */
-    /* For now, generate deterministic key for testing */
-    for (int i = 0; i < 32; i++) {
-        keypair.private_key[i] = i + 1;
+    /* Production: use system RNG (can be replaced with SE050 RNG) */
+    if (se050_x25519_sw_generate_keypair(&keypair, system_rng, NULL) < 0) {
+        return -1;
     }
-    se050_x25519_sw_clamp(keypair.private_key);
-    x25519_sw(keypair.public_key, keypair.private_key, (const uint8_t*)"basepoint");
 #endif
     
     memcpy(private_key, keypair.private_key, WG_KEY_LEN);
diff --git a/src/se050_wireguard_se050_rng.c b/src/se050_wireguard_se050_rng.c
new file mode 100644
index 0000000..c158b5d
--- /dev/null
+++ b/src/se050_wireguard_se050_rng.c
@@ -0,0 +1,67 @@
+/**
+ * @file se050_wireguard_se050_rng.c
+ * @brief WireGuard with SE050 Hardware RNG Integration
+ * 
+ * This file provides an alternative key generation function that uses
+ * the SE050 hardware TRNG instead of the system RNG.
+ * 
+ * Usage: Link with se050_rng.c and se050_session.c
+ */
+
+#include "se050_wireguard.h"
+#include "se050_x25519_sw.h"
+#include "se050_rng.h"
+#include "se050_session.h"
+
+/* SE050 RNG wrapper for x25519 keypair generation */
+static int se050_rng_wrapper(uint8_t *out, size_t len, void *ctx)
+{
+    se050_rng_ctx_t *rng = (se050_rng_ctx_t *)ctx;
+    
+    if (!rng || !out) {
+        return -1;
+    }
+    
+    se050_status_t ret = se050_rng_generate(rng, out, len);
+    return (ret == SE050_OK) ? 0 : -1;
+}
+
+/**
+ * @brief Generate WireGuard keypair using SE050 hardware RNG
+ * 
+ * @param session SE050 session context (must be initialized)
+ * @param private_key Output: private key (32 bytes)
+ * @param public_key Output: public key (32 bytes)
+ * @return 0 on success, -1 on error
+ */
+int se050_wireguard_generate_keypair_se050(se050_session_ctx_t *session,
+                                           uint8_t *private_key, 
+                                           uint8_t *public_key)
+{
+    if (!session || !private_key || !public_key) {
+        return -1;
+    }
+    
+    /* Initialize SE050 RNG */
+    se050_rng_ctx_t *rng;
+    se050_status_t ret = se050_rng_init(&rng, session);
+    if (ret != SE050_OK) {
+        return -1;
+    }
+    
+    /* Generate keypair using SE050 RNG */
+    se050_x25519_sw_keypair_t keypair;
+    ret = se050_x25519_sw_generate_keypair(&keypair, se050_rng_wrapper, rng);
+    
+    /* Cleanup RNG context */
+    se050_rng_free(rng);
+    
+    if (ret < 0) {
+        return -1;
+    }
+    
+    memcpy(private_key, keypair.private_key, 32);
+    memcpy(public_key, keypair.public_key, 32);
+    
+    return 0;
+}