Password Tools

Active tool: Password Tools

Selected option: Secret Key Generator

What It Does

Generates cryptographically secure secret keys using the Web Crypto API (crypto.getRandomValues). The output is suitable for encryption keys, HMAC secrets, API tokens, session secrets, webhook signing keys, and any other scenario that requires high-entropy random data.

How to Use It

Pick a preset (recommended) or choose “Custom Configuration” to set every option manually. Presets auto-fill the key length, encoding, and prefix for common use cases.
Adjust the key length if needed. The slider shows both byte count and bit entropy.
Choose an output format (hex, Base64, Base64url, or alphanumeric).
Optionally add a prefix or suffix (e.g., sk_live_) and enable a separator for readability.
Click “Generate”, then “Copy” the result.

Presets Explained

Preset	Size	Format	Use Case
AES-128 / 192 / 256 Key	16 / 24 / 32 bytes	Hex	Symmetric encryption keys for AES-GCM, AES-CBC, or AES-CTR.
HMAC-SHA256 Secret	32 bytes	Base64	Keyed-hash message authentication. Matches the 256-bit output of SHA-256.
HMAC-SHA512 Secret	64 bytes	Base64	Stronger HMAC variant. Matches the 512-bit output of SHA-512.
JWT Secret	32 bytes	Base64url	Signing key for JWT tokens using HS256. Must be at least 256 bits.
API Key (Live / Test)	24 bytes	Base64url	Prefixed API keys (`sk_live_` / `sk_test_`) following the Stripe convention.
Session Secret	64 bytes	Base64	Server-side session signing (Express, Django, Rails, etc.). 512 bits provides a large security margin.
Webhook Secret	32 bytes	Hex	Webhook payload signing with `whsec_` prefix. Shared between the webhook provider and your server.
Database Encryption Key	32 bytes	Hex	Column-level or transparent data encryption. Store securely in a secrets manager, never in code.

Output Formats

Format	Characters	Best For
Hex	0–9, a–f	AES keys, debugging, command-line tools (OpenSSL). 2 chars per byte.
Base64	A–Z, a–z, 0–9, +, /	Compact storage, environment variables, config files. ~1.33 chars per byte.
Base64url	A–Z, a–z, 0–9, -, _	URL-safe contexts: JWT secrets, API keys, query parameters. No padding characters.
Alphanumeric	A–Z, a–z, 0–9	Human-readable keys, systems that reject special characters. Slightly less compact than Base64.

Options Explained

Option	Description
Key length	Size of the random data in bytes. The entropy in bits equals bytes × 8. Common sizes: 16 (128-bit), 32 (256-bit), 64 (512-bit).
Encoding	Output format for the generated key (hex, Base64, Base64url, or alphanumeric).
Prefix / Suffix	Text prepended or appended to the key (e.g., `sk_live_`). Useful for key identification and namespace separation.
Separator	Inserts a character (hyphen, colon, space, or underscore) every N characters for readability. Does not affect the key’s entropy.
Uppercase (hex)	Display hex digits as A–F instead of a–f.

How Much Entropy Do I Need?

Bytes	Bits	Strength
16	128	Minimum for symmetric encryption (AES-128). Sufficient for most non-critical uses.
32	256	Recommended default. Matches AES-256 and HMAC-SHA256. Exceeds brute-force limits for the foreseeable future.
64	512	Maximum security margin. Required for HMAC-SHA512 and session secrets in high-security environments.

Tip: Use 256-bit (32-byte) keys for HMAC-SHA256, AES-256, and JWT HS256 signing. If you are unsure which size to pick, 32 bytes is the safe default for nearly every use case.

Security: Generated keys never leave your browser. Store them in a secrets manager or environment variable — never commit keys to source control or embed them in client-side code.

Secret Key GeneratorKey Preset

Select a preset or configure a custom key.

Key Length: 32 bytes (256 bits entropy)

Output Format

Estimated output: ~64 characters

Prefix (max 20)

Suffix (max 20)

Formatting

Add separators for readability

Preview: 256 bits entropy · Very Strong

Output

Security Note: All keys are generated locally in your browser using a CSPRNG (Web Crypto API). No key material or input data is ever transmitted to a server or stored by this tool.

About Secret Key Generation

Secret keys are high-entropy random values used in cryptographic operations including API authentication, symmetric encryption (AES), message authentication codes (HMAC), and JSON Web Token (JWT) signing. Unlike passwords, secret keys are not meant to be memorized — they are stored in configuration files, environment variables, or key management systems and used programmatically by applications.

Key length directly determines security strength. For AES encryption, 128-bit keys are considered secure against brute-force attacks with classical computers, while 256-bit keys provide a security margin against potential quantum computing advances (Grover's algorithm effectively halves the key strength). HMAC-SHA256 requires a key of at least 256 bits for full security. This tool outputs keys in hexadecimal (2 hex characters per byte) and Base64 (4 characters per 3 bytes) formats, both standard encodings for key material in configuration and code.

Keys must be generated using a CSPRNG — never from hashed passwords, timestamps, or other low-entropy sources. This tool uses the Web Crypto API (crypto.getRandomValues) to produce key material with full cryptographic randomness, suitable for production use in security-sensitive applications.

Common Use Cases

Generating API keys for service-to-service authentication
Creating AES-128 or AES-256 encryption keys for data protection
Producing HMAC secrets for webhook signature verification
Generating JWT signing keys (HS256, HS384, HS512)
Creating session secrets for web frameworks (Express, Django, Rails)
Producing encryption keys for database column-level encryption

What Is a Secret Key?

A secret key (also called a symmetric key) is a piece of random data used by cryptographic algorithms to encrypt, decrypt, or sign information. Unlike passwords — which are human-readable and typically hashed before use — secret keys are raw binary values designed to be consumed directly by algorithms such as AES, HMAC, or ChaCha20. The security of a symmetric key depends entirely on its randomness and length: AES-128 requires a 128-bit (16-byte) key with full entropy, while AES-256 requires 256 bits (32 bytes). Keys are commonly encoded as hexadecimal or Base64 strings for storage and transport. A properly generated secret key should come from a CSPRNG (cryptographically secure pseudorandom number generator) so that no statistical pattern or bias exists. Secret keys are used for API authentication, JWT signing (HS256/HS384/HS512), webhook signature verification, session secrets in web frameworks, and symmetric encryption of data at rest or in transit.

Frequently Asked Questions

What key length should I choose?

For AES encryption, use 128 bits for general purposes or 256 bits for maximum security. For HMAC signing, match the key length to the hash output (e.g., 256 bits for HS256). Longer keys do not improve security beyond the algorithm's block size.

What is the difference between hex and Base64 encoding?

Both represent the same binary key. Hex uses 0-9 and a-f (two characters per byte), while Base64 uses A-Z, a-z, 0-9, +, and / (four characters per three bytes). Base64 is more compact; hex is easier to read and debug.

Can I use a password instead of a generated key?

Passwords have far less entropy than a properly generated key. If you must derive a key from a password, use a key derivation function like PBKDF2, scrypt, or Argon2 to stretch the password into a full-entropy key.

How should I store secret keys?

Store keys in a dedicated secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault) or in environment variables with restricted access. Never commit keys to version control or embed them in client-side code.

All key generation occurs entirely in your browser. No key material is ever transmitted to any server, logged, or stored — ensuring your cryptographic secrets remain fully under your control.