Skip to main content
blindcast keygen generates a cryptographically random master key and salt. These are the only two secrets you need to protect — all content encryption keys are derived from them using HKDF.

Usage

Output

The output is in KEY=VALUE format so you can pipe it directly into a .env file:

JSON output

For scripting and CI/CD:

Flags

Store the master key and salt in a secret manager (AWS Secrets Manager, HashiCorp Vault, etc.). Never commit them to version control. Losing the master key means you cannot decrypt any content encrypted with it — there is no recovery mechanism.

What these are

  • Master key (32 bytes): The root secret from which all content keys are derived. Used by blindcast encrypt, blindcast serve, and the production key server.
  • Salt (32 bytes): A random value used as input to HKDF alongside the master key. Same salt must be used everywhere the master key is used.
See Zero-Knowledge Explained for more on how these fit into the trust model.