Is there a command line tool to generate symmetric keys in a Java keystore?

Question

I am writing a procedure about key renewing for my application. This procedure will be executed by a sysadmin every year or so.

In my application, there is a symmetric key used to cipher some data before storing it in the database. This key is stored in a Java keystore.

When the application must store some data in the database in a ciphered way, the key alias to use is read from a configuration file, the key is read from the Java keystore with this key alias, the data is ciphered with the key and I store everything in the database: the key alias, the Initialization Vector and the ciphered data, all separated with semi-colons.

So the procedure to use another key is straightforward:

1. generate a new symmetric key in the Java Keystore with another alias
2. change the configuration file to use this new key alias

But I do not know any command-line tool that can create a symmetric key in a Java keystore. The java keytool utility can only create key pairs.

Is there a command line tool to generate symmetric keys in a Java keystore or should I develop my own tool?

Answer 1

keytool is able to generate a secret key since Java 6 with the -genseckey command. Here is an excerpt of the Java 6 keytool documentation:

-genseckey {-alias alias} {-keyalg keyalg}
       {-keysize keysize} [-keypass keypass]
       {-storetype storetype} {-keystore keystore}
       [-storepass storepass]
       {-providerClass provider_class_name {-providerArg provider_arg}}
       {-v} {-protected} {-Jjavaoption}

Generates a secret key and stores it in a new KeyStore.SecretKeyEntry identified by alias.

keyalg specifies the algorithm to be used to generate the secret key, and keysize specifies the size of the key to be generated. keypass is a password used to protect the secret key. If no password is provided, the user is prompted for it. If you press RETURN at the prompt, the key password is set to the same password as that used for the keystore. keypass must be at least 6 characters long.

So the following command will generate a new AES 128 bits key

keytool -genseckey -alias mykey -keyalg AES -keysize 128 \
    -storetype jceks -keystore mykeystore.jks

The keytool command has a typo bug that hides the help information about -genseckey:

% keytool -help
[...]
-genkeypair  [-v] [-protected]
         [-alias <alias>]
         [-keyalg <keyalg>] [-keysize <taille_clé>]
         [-sigalg <sigalg>] [-dname <nomd>]
         [-validity <joursVal>] [-keypass <mot_passe_clé>]
         [-keystore <keystore>] [-storepass <mot_passe_store>]
         [-storetype <storetype>] [-providername <name>]
         [-providerclass <provider_class_name> [-providerarg <arg>]] ...
         [-providerpath <pathlist>]

-genkeypair  [-v] [-protected]
         [-alias <alias>] [-keypass <keypass>]
         [-keyalg <keyalg>] [-keysize <taille_clé>]
         [-keystore <keystore>] [-storepass <mot_passe_store>]
         [-storetype <storetype>] [-providername <name>]
         [-providerclass <provider_class_name> [-providerarg <arg>]] ...
         [-providerpath <pathlist>] 

The -genkeypair command appears twice. In fact the second -genkeypair should be read -genseckey. That's why I did not notice the command.

I have encountered this typo bug with Java 1.6.0_26. I have checkd with the latest Java 6 available (1.6.0_31) and it has the same problem. I have also checked with the latest Java 7 and the documentation problem is fixed:

% java -version
java version "1.7.0_03"
Java(TM) SE Runtime Environment (build 1.7.0_03-b04)
Java HotSpot(TM) Server VM (build 22.1-b02, mixed mode)
% keytool -help
 [...]
 -genkeypair         Generates a key pair
 -genseckey          Generates a secret key
 [...]