Don't like ads? Go Ad-Free Today 

AES Encryption Key Generator

DeveloperSecurity

ADVERTISEMENT · REMOVE?

INPUT

OUTPUT

Client Side

ADVERTISEMENT · REMOVE?

Guide

AES Encryption Key Generator

Generate cryptographically secure AES encryption keys in 128, 192, or 256-bit sizes, in either hexadecimal or Base64 format. Produce up to 10 keys at once for AES-CBC, AES-GCM, AES-CTR, or any AES mode. All keys are generated using the browser’s crypto.getRandomValues() API for true randomness.

How to Use

Select your AES key size (128, 192, or 256 bits), choose your preferred AES mode for context, pick the output format (hex or Base64), and set how many keys to generate. Click Generate to produce your keys instantly. Each key can be copied individually.

Features

3 key sizes – 128-bit (16 bytes), 192-bit (24 bytes), 256-bit (32 bytes)
All AES modes – GCM, CBC, CTR, CFB, OFB, ECB (for context labelling)
Dual output format – hexadecimal or Base64
Batch generation – generate 1 to 10 keys at once
Cryptographically secure – uses crypto.getRandomValues()
Client-side only – keys are never transmitted

ADVERTISEMENT · REMOVE?

 FAQ

What is the difference between AES-128, AES-192, and AES-256?

AES-128, AES-192, and AES-256 refer to the key lengths in bits — 128, 192, and 256 respectively. All three use the same block cipher algorithm on 128-bit blocks but differ in the number of rounds: 10, 12, and 14 rounds respectively. AES-256 offers the highest security margin but is about 40% slower than AES-128. For most applications, AES-128 with a strong random key is considered secure.
What is the difference between AES-GCM and AES-CBC?

AES-GCM (Galois/Counter Mode) is an authenticated encryption mode that provides both confidentiality and integrity/authenticity in a single operation, producing a ciphertext and an authentication tag. AES-CBC (Cipher Block Chaining) provides only confidentiality and requires a separate MAC (e.g., HMAC) for integrity. AES-GCM is preferred in modern protocols like TLS 1.3 because it is faster in hardware and avoids padding oracle vulnerabilities.
Why should AES keys be generated with a CSPRNG?

AES security depends entirely on the key being unpredictable. A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) like crypto.getRandomValues() produces output that is computationally indistinguishable from true randomness, making exhaustive key search infeasible. Using Math.random() or time-based seeds produces predictable keys that can be cracked trivially.
How should AES keys be stored securely?

AES keys should never be stored in source code, environment variables in plain text, or version control. Use a dedicated secrets manager (AWS KMS, HashiCorp Vault, Azure Key Vault) for key storage. For long-lived data, use envelope encryption: encrypt data with a data encryption key (DEK), then encrypt the DEK with a key encryption key (KEK) stored in the KMS. Rotate keys regularly and audit all key access.