keytool is able to generate a secret key since Java 6 with the -genseckey command. Here is an excerpt of the Java 6 keytool documentation:
-genseckey {-alias alias} {-keyalg keyalg}
{-keysize keysize} [-keypass keypass]
{-storetype storetype} {-keystore keystore}
[-storepass storepass]
{-providerClass provider_class_name {-providerArg provider_arg}}
{-v} {-protected} {-Jjavaoption}
Generates a secret key and stores it in a new KeyStore.SecretKeyEntry
identified by alias.
keyalg specifies the algorithm to be used to generate the secret key, and keysize specifies the size of the key to be generated. keypass is a password used to protect the secret key. If no password is provided, the user is prompted for it. If you press RETURN at the prompt, the key password is set to the same password as that used for the keystore. keypass must be at least 6 characters long.
So the following command will generate a new AES 128 bits key
keytool -genseckey -alias mykey -keyalg AES -keysize 128 \
-storetype jceks -keystore mykeystore.jks
The keytool
command has a typo bug that hides the help information about -genseckey
:
% keytool -help
[...]
-genkeypair [-v] [-protected]
[-alias <alias>]
[-keyalg <keyalg>] [-keysize <taille_clé>]
[-sigalg <sigalg>] [-dname <nomd>]
[-validity <joursVal>] [-keypass <mot_passe_clé>]
[-keystore <keystore>] [-storepass <mot_passe_store>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
-genkeypair [-v] [-protected]
[-alias <alias>] [-keypass <keypass>]
[-keyalg <keyalg>] [-keysize <taille_clé>]
[-keystore <keystore>] [-storepass <mot_passe_store>]
[-storetype <storetype>] [-providername <name>]
[-providerclass <provider_class_name> [-providerarg <arg>]] ...
[-providerpath <pathlist>]
The -genkeypair
command appears twice. In fact the second -genkeypair
should be read -genseckey
. That's why I did not notice the command.
I have encountered this typo bug with Java 1.6.0_26. I have checkd with the latest Java 6 available (1.6.0_31) and it has the same problem. I have also checked with the latest Java 7 and the documentation problem is fixed:
% java -version
java version "1.7.0_03"
Java(TM) SE Runtime Environment (build 1.7.0_03-b04)
Java HotSpot(TM) Server VM (build 22.1-b02, mixed mode)
% keytool -help
[...]
-genkeypair Generates a key pair
-genseckey Generates a secret key
[...]