blindcast keygen generates a cryptographically random master key and salt. These are the only two secrets you need to protect — all content encryption keys are derived from them using HKDF.
Usage
Output
The output is in KEY=VALUE format so you can pipe it directly into a .env file:
JSON output
For scripting and CI/CD:
Flags
Store the master key and salt in a secret manager (AWS Secrets Manager, HashiCorp Vault, etc.). Never commit them to version control. Losing the master key means you cannot decrypt any content encrypted with it — there is no recovery mechanism.
What these are
- Master key (32 bytes): The root secret from which all content keys are derived. Used by
blindcast encrypt, blindcast serve, and the production key server.
- Salt (32 bytes): A random value used as input to HKDF alongside the master key. Same salt must be used everywhere the master key is used.
See Zero-Knowledge Explained for more on how these fit into the trust model.