blindcast keygen generates a cryptographically random master key and salt. These are the only two secrets you need to protect — all content encryption keys are derived from them using HKDF.
Usage
Output
BLINDCAST_MASTER_KEY=a1b2c3d4e5f6... (64 hex chars = 32 bytes)
BLINDCAST_SALT=f6e5d4c3b2a1... (64 hex chars = 32 bytes)
KEY=VALUE format so you can pipe it directly into a .env file:
JSON output
For scripting and CI/CD:
{
"masterKey": "a1b2c3d4e5f6...",
"salt": "f6e5d4c3b2a1..."
}
Flags
| Flag | Description |
|---|
--json | Output as JSON instead of env vars |
Store the master key and salt in a secret manager (AWS Secrets Manager, HashiCorp Vault, etc.). Never commit them to version control. Losing the master key means you cannot decrypt any content encrypted with it — there is no recovery mechanism.
What these are
- Master key (32 bytes): The root secret from which all content keys are derived. Used by
blindcast encrypt, blindcast serve, and the production key server.
- Salt (32 bytes): A random value used as input to HKDF alongside the master key. Same salt must be used everywhere the master key is used.
See Zero-Knowledge Explained for more on how these fit into the trust model.
