How to generate a HS512 secret key to use with JWT

Question

I am using Guardian to realize JWT Authentication with an Elixir / Phoenix app. I'm using the HS512 algorithm. And I need a key for that. Are there any conditions for this key except that it has to be 512 bits or longer? It can be any arbitrary string, right?

Answer 1

openssl rand -base64 129 | tr -d '\n'

OpenSSL generates a secret of 129 bytes. 129 bytes is good for HS512 (see https://github.com/ueberauth/guardian/issues/152).

tr removes newlines.

Answer 2

In case anyone visits this now: Guardian added a mix task for that.

mix guardian.gen.secret

https://hexdocs.pm/guardian/Mix.Tasks.Guardian.Gen.Secret.html#content

Answer 3

The signing key is a byte array of any value or length you wish. Most JWT libraries allow you to use any string as key, which is converted to byte array.

To generate a secure 20 byte key, bs64 encoded

dd if=/dev/random bs=20 count=1 status=none | base64

Answer 4

You need to run this command on a Linux machine with OpenSSL library installed:

echo -n "somevalue" | openssl sha512 -hmac "somekey"

The output of this command is the HS512 (HMAC SHA512) which you can use as the signing key with any JWT library.

Answer 5

I'm pretty confident that any arbitrary string will work. Best practice would be to store that string in an environment variable and then have your app pull from that.