Encryption Key Generator
Generate AES-compatible encryption keys with exact bit sizes. Choose 128-bit or 256-bit, hex or Base64 encoding. 100% client-side, powered by Web Crypto API.
DID YOU KNOW?
AES-256 is classified by the U.S. government for TOP SECRET information. Brute-forcing a 256-bit key would require more energy than exists in the observable universe. Even with a hypothetical computer checking 10^18 keys per second, it would take about 3 × 10^51 years — roughly 10^41 times the age of the universe.
Encryption keys for developers
AES-128 vs AES-256: which one to use
Both AES-128 and AES-256 are considered secure for the foreseeable future. AES-128 uses a 128-bit key (16 bytes) and is faster. AES-256 uses a 256-bit key (32 bytes) and provides a larger security margin against quantum computing. Use AES-256 for long-term data protection or compliance requirements. Use AES-128 when performance matters and data has a shorter lifecycle. In practice, the encryption algorithm matters less than how you manage the keys.
What is envelope encryption
Envelope encryption uses two layers of keys: a data encryption key (DEK) encrypts your data, and a key encryption key (KEK) encrypts the DEK. The KEK lives in a KMS (Key Management Service) and never leaves it. This pattern lets you encrypt data locally (fast) while keeping the master key in hardware security (secure). SecureCodeHQ uses this exact pattern — each secret gets its own DEK, wrapped by Google Cloud KMS.
Key management best practices
Never hardcode encryption keys in source code. Store them in a KMS or secrets vault, separate from encrypted data. Rotate keys periodically (90-365 days). Use different keys for different purposes and environments. Log key usage for audit trails. For the highest security, use a hardware security module (HSM) or cloud KMS to protect your master keys — the encryption key you generate here should be stored in a vault, not in a .env file.
More developer security tools
Encryption key generator FAQ
Both are secure. AES-256 provides a larger margin against future threats (including quantum computing) and is required by some compliance standards. AES-128 is faster and sufficient for most use cases. When in doubt, use AES-256 — the performance difference is negligible for most applications.
Hex is more readable and commonly used in configuration files and CLI tools. Base64 is more compact (33% shorter) and commonly used in APIs, JWTs, and programmatic contexts. Both represent the same binary data. Choose based on where you'll use the key.
Never store encryption keys alongside the data they encrypt. Use a dedicated secrets manager or KMS. For application-level encryption, store the key in SecureCodeHQ and fetch it at runtime via the SDK. For infrastructure encryption, use your cloud provider's KMS (AWS KMS, Google Cloud KMS, Azure Key Vault).
Envelope encryption wraps your data encryption key (DEK) with a master key (KEK) stored in a KMS. This means the master key never leaves the secure hardware, and you can rotate DEKs independently. If a DEK is compromised, only the data encrypted with that specific key is affected — not your entire system.
Use the Node.js crypto module: `const cipher = crypto.createCipheriv('aes-256-gcm', Buffer.from(key, 'hex'), iv)`. Always use GCM mode (authenticated encryption) and generate a unique IV for each encryption operation. Store the IV alongside the ciphertext — it doesn't need to be secret.
Generated a key? Store it in a real vault.
SecureCodeHQ uses envelope encryption (the same pattern used by AWS and Google Cloud) to protect your secrets. Store your keys safely.