How to generate secret key with java keytool

What is Java keytool?

The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to generate a secret key in a keystore. In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management.

What is a secret key?

A secret key is a single key shared by multiple parties to perform both encryption and decryption. Alternatively, generate a public/private key pair for asymmetric encryption. Common secret key algorithms include DES, 3DES, and AES. We will be using the AES 256 algorithm for demonstration purposes.

What keytool command do I use to generate a secret key in a keystore?

Use this command to generate a secret key in a PKCS12 keystore using the java keytool. The result will be a keystore containing one secret key identified by the given alias.

keytool -genseckey \
 -alias secret \
 -keypass changeit \
 -keyalg AES \
 -keysize 256 \
 -keystore example.p12 \
 -storepass changeit \
 -storetype PKCS12 \
 -v

Java keytool options:

-alias– The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.

-keypass – The secret key password. If not entered, you will either prompted or it will default to the -storepass value if set.

-keyalg – In this example, the AES algorithm was used.

-keysize – For AES, 256 is recommended. While this can be set, not specifying this option will use the default value based on the specified -keyalg.

-keystore – The filename of the keystore.

-storepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.

-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.

-v – Verbose output.