Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.blindcast.dev/llms.txt

Use this file to discover all available pages before exploring further.

blindcast keygen generates a cryptographically random master key and salt. These are the only two secrets you need to protect — all content encryption keys are derived from them using HKDF.

Usage

blindcast keygen

Output

BLINDCAST_MASTER_KEY=a1b2c3d4e5f6...  (64 hex chars = 32 bytes)
BLINDCAST_SALT=f6e5d4c3b2a1...        (64 hex chars = 32 bytes)
The output is in KEY=VALUE format so you can pipe it directly into a .env file: 
blindcast keygen > .env

JSON output

For scripting and CI/CD: 
blindcast keygen --json

{
  "masterKey": "a1b2c3d4e5f6...",
  "salt": "f6e5d4c3b2a1..."
}

Flags

FlagDescription
--jsonOutput as JSON instead of env vars
Store the master key and salt in a secret manager (AWS Secrets Manager, HashiCorp Vault, etc.). Never commit them to version control. Losing the master key means you cannot decrypt any content encrypted with it — there is no recovery mechanism.

What these are

  • Master key (32 bytes): The root secret from which all content keys are derived. Used by blindcast encrypt, blindcast serve, and the production key server.
  • Salt (32 bytes): A random value used as input to HKDF alongside the master key. Same salt must be used everywhere the master key is used.
See Zero-Knowledge Explained for more on how these fit into the trust model.