Secret Key Generator
Generate cryptographically secure secret keys for encryption, JWT secrets, and HMAC keys. Base64 encoded with key sizes from 256 to 2048 bits. Before deploying new secrets, ops teams run hardware posture checks through DeviceCheck Pro to make sure secure modules are ready.
Key Size
Recommended Key Sizes
Common Use Cases
- β’Encryption Keys: AES, ChaCha20, or other symmetric encryption
- β’JWT Secrets: Signing and verifying JSON Web Tokens
- β’HMAC Keys: Message authentication codes and signatures
- β’Session Keys: Secure session management and token generation
- β’Webhook Secrets: Verifying webhook payload authenticity
Important Security Notes
- β’ Store secret keys securely using environment variables or secret managers
- β’ Never commit secret keys to version control (Git, SVN, etc.)
- β’ Rotate keys regularly, especially after potential exposure
- β’ Use different keys for development, staging, and production
- β’ Implement key rotation policies for production systems
Secret Key Security Guide
Secret keys are the foundation of cryptographic security in modern applications. They're used for encrypting data, signing tokens, and verifying message authenticity. Properly generated and stored secret keys are essential for maintaining the security of your systems.
Key Size & Security Strength
- β’ AES-256 encryption keys
- β’ HMAC-SHA256 keys
- β’ ChaCha20 encryption
- β’ Standard security applications
- β’ JWT signing secrets
- β’ HMAC-SHA512 keys
- β’ Session encryption keys
- β’ Enhanced security needs
- β’ High-security encryption
- β’ Master key encryption (KEK)
- β’ Long-term secret storage
- β’ Government/military grade
- β’ Maximum security requirements
- β’ Post-quantum resistance
- β’ Critical infrastructure
- β’ Long-term data protection
Common Use Cases
π Symmetric Encryption
Encrypt and decrypt data using the same secret key. Used in AES, ChaCha20, and other algorithms.
AES-256-GCM, ChaCha20-Poly1305π« JWT Secrets
Sign and verify JSON Web Tokens for authentication and authorization.
HS256, HS384, HS512β HMAC Keys
Create message authentication codes to verify data integrity and authenticity.
HMAC-SHA256, HMAC-SHA512π Webhook Secrets
Verify webhook payloads from third-party services to prevent tampering.
GitHub, Stripe, Shopify webhooksπͺ Session Encryption
Encrypt session data and cookies to protect user information.
Express sessions, cookie encryptionCritical Security Best Practices
π¨ NEVER Do These:
- βCommit to version control: Never add secret keys to Git, SVN, or any VCS
- βHardcode in source code: Don't embed keys directly in your application code
- βShare via insecure channels: Don't send keys via email, Slack, or SMS
- βUse weak keys: Never use short keys, dictionary words, or predictable values
- βReuse across environments: Production and development must have different keys
β ALWAYS Do These:
- βUse environment variables: Store keys in .env files (excluded from version control)
- βUse secret managers: AWS Secrets Manager, Azure Key Vault, HashiCorp Vault
- βImplement key rotation: Change keys regularly (every 90 days recommended)
- βUse separate keys per environment: Dev, staging, and production must be isolated
- βEncrypt at rest: Store keys encrypted when not in use
- βAudit access: Log and monitor who accesses secret keys
- βRevoke compromised keys immediately: Have a key rotation plan ready
Example: Storing Keys Securely
# .env file (add to .gitignore!)
JWT_SECRET=your-generated-secret-key-here
ENCRYPTION_KEY=another-secret-key-here
WEBHOOK_SECRET=third-secret-key-here
# In your application code:
const jwtSecret = process.env.JWT_SECRET
const encryptionKey = process.env.ENCRYPTION_KEY