Yes, it randomly chooses a 32-character string with characters from VALID_KEY_CHARS (which contains the lower-case characters 'a' to 'z', plus digits '0' to '9', so 36 elements).
It uses Python's random.SystemRandom if available (/dev/urandom on Linux, CryptGenRandom() on Windows), and otherwise Python's default Mersenne Twister PRNG is used, and reseeded before every call to get_random_string so it doesn't become predictable. See the source of get_random_string (
https://github.com/django/django/blob/master/django/utils/crypto.py)
log2(36 ** 32) =~ about 165 bits of entropy (fewer when using the PRNG).
Greetings,
Remco Gerlich