What is Java keytool?
The Java keytool is a command-line utility used to manage keystores in different formats containing keys and certificates. You can use the java keytool to generate a secret key in a keystore. In many respects, the java keytool is a competing utility with openssl for keystore, key, and certificate management.
What is a secret key?
A secret key is a single key shared by multiple parties to perform both encryption and decryption. Alternatively, generate a public/private key pair for asymmetric encryption. Common secret key algorithms include DES, 3DES, and AES. We will be using the AES 256 algorithm for demonstration purposes.
What keytool command do I use to generate a secret key in a keystore?
Use this command to generate a secret key in a PKCS12 keystore using the java keytool. The result will be a keystore containing one secret key identified by the given alias.
keytool -genseckey \ -alias secret \ -keypass changeit \ -keyalg AES \ -keysize 256 \ -keystore example.p12 \ -storepass changeit \ -storetype PKCS12 \ -v
Java keytool options:
-alias– The alias of the entry encapsulated in the keystore. The chosen value should enhance the readability of the keystore entries, especially when the keystore contains multiple entries.
-keypass – The secret key password. If not entered, you will either prompted or it will default to the -storepass value if set.
-keyalg – In this example, the AES algorithm was used.
-keysize – For AES, 256 is recommended. While this can be set, not specifying this option will use the default value based on the specified -keyalg.
-keystore – The filename of the keystore.
-storepass – The current keystore password. We recommend leaving this option off and letting keytool prompt you instead of writing your password in plain text here.
-storetype – Recommended keystore types include PKCS12 and JKS. In this case, the keystore was of type PKCS12.
-v – Verbose output.
Importing a password into a keystore
Alternatively, if you have an existing secret key or password you can import into a keystore with the following keytool -importpass command:
Here are the official keytool docs to dive further into how to generate a secret key with java keytool. https://docs.oracle.com/javase/10/tools/keytool.htm#GUID-5990A2E4-78E3-47B7-AE75-6D1826259549__CREATEORADDDATATOTHEKEYSTORE-507D49D2