> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blindcast.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# blindcast keygen

> Generate a master key and salt for encrypting video content. Store these securely — losing them means losing access to all encrypted content.

`blindcast keygen` generates a cryptographically random master key and salt. These are the only two secrets you need to protect — all content encryption keys are derived from them using [HKDF](/introduction/architecture-overview#key-hierarchy).

## Usage

```bash theme={null}
blindcast keygen
```

## Output

```
BLINDCAST_MASTER_KEY=a1b2c3d4e5f6...  (64 hex chars = 32 bytes)
BLINDCAST_SALT=f6e5d4c3b2a1...        (64 hex chars = 32 bytes)
```

The output is in `KEY=VALUE` format so you can pipe it directly into a `.env` file:

```bash theme={null}
blindcast keygen > .env
```

## JSON output

For scripting and CI/CD:

```bash theme={null}
blindcast keygen --json
```

```json theme={null}
{
  "masterKey": "a1b2c3d4e5f6...",
  "salt": "f6e5d4c3b2a1..."
}
```

## Flags

| Flag     | Description                        |
| -------- | ---------------------------------- |
| `--json` | Output as JSON instead of env vars |

<Warning>
  Store the master key and salt in a secret manager (AWS Secrets Manager, HashiCorp Vault, etc.). Never commit them to version control. Losing the master key means you cannot decrypt any content encrypted with it — there is no recovery mechanism.
</Warning>

## What these are

* **Master key** (32 bytes): The root secret from which all content keys are derived. Used by `blindcast encrypt`, `blindcast serve`, and the production key server.
* **Salt** (32 bytes): A random value used as input to HKDF alongside the master key. Same salt must be used everywhere the master key is used.

See [Zero-Knowledge Explained](/introduction/zero-knowledge-explained) for more on how these fit into the trust model.
