What is Java keytool?
The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to generate a secret key in a keystore. In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management.
What is a secret key?
A secret key is a single key shared by multiple parties to perform both encryption and decryption. Alternatively, generate a public/private key pair for asymmetric encryption. Common secret key algorithms include DES, 3DES, and AES. We will be using the AES 256 algorithm for demonstration purposes.
What keytool command do I use to generate a secret key in a keystore?
Use this command to generate a secret key in a PKCS12 keystore using the java keytool. The result will be a keystore containing one secret key identified by the given alias.
keytool -genseckey \
-alias secret \
-keypass changeit \
-keyalg AES \
-keysize 256 \
-keystore example.p12 \
-storepass changeit \
-storetype PKCS12 \
-v
Java keytool options:
-alias
– The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.
-keypass
– The secret key password. If not entered, you will either prompted or it will default to the -storepass value if set.
-keyalg
– In this example, the AES algorithm was used.
-keysize
– For AES, 256 is recommended. While this can be set, not specifying this option will use the default value based on the specified -keyalg.
-keystore
– The filename of the keystore.
-storepass
– The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.
-storetype
– Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.
-v
– Verbose output.

Importing a password into a keystore
Alternatively, if you have an existing secret key or password you can import into a keystore with the following keytool -importpass command:
Here are the official keytool docs to dive further into how to generate a secret key with java keytool. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__CREATEORADDDATATOTHEKEYSTORE-507D49D2
Leave a Reply