diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg
new file mode 100644
index 0000000..4d001c2
--- /dev/null
+++ b/etc/default/grub.d/40_distrust_cpu.cfg
@@ -0,0 +1,9 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Distrust the CPU for initial entropy as it is not possible to audit
+## and may have unknown backdoors.
+##
+## https://en.wikipedia.org/wiki/RDRAND#Reception
+## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566/
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"