.env · security

OpenSSL Rand Generator

Replicate openssl rand -base64 32 and openssl rand -hex in your browser. Choose byte count and encoding. No OpenSSL required — pure crypto.getRandomValues.

Be the first to rate
Encoding
Bytes
Equivalent CLI command
openssl rand -base64 32
Output
Common use cases
openssl rand -base64 32— AUTH_SECRET, NEXTAUTH_SECRET
openssl rand -hex 32— API tokens, webhook secrets
openssl rand -base64 16— CSRF tokens, short-lived codes
openssl rand -hex 16— RAILS_MASTER_KEY

What it does

  • Replicates openssl rand -base64 and openssl rand -hex
  • Configurable byte count: 16, 32, 48, 64
  • Standard base64 (with padding) matching OpenSSL output exactly
  • Runs in-browser via crypto.getRandomValues — no server, no OpenSSL needed
  • Shows the equivalent CLI command for reference

Privacy

Runs 100% in your browser. Your .env never touches our servers.

client-side only

When to use this tool

  • Generating AUTH_SECRET or NEXTAUTH_SECRET for a Next.js app
  • Creating a JWT signing secret without a terminal
  • Producing a hex token for an API key or webhook secret
  • Replicating openssl rand in a CI environment that lacks OpenSSL

Common mistakes

  • Using -base64 output with special characters unquoted in .env files — always quote values containing +, /, or =
  • Using too few bytes — 16 bytes is sufficient for AES-128 but not for HMAC secrets; use 32 at minimum
  • Confusing byte count with character count — openssl rand -base64 32 outputs 44 characters, not 32
  • Sharing the generated value in a Slack message or ticket — treat it as a secret from the moment it appears

What does openssl rand do?

openssl rand reads from the operating system's cryptographically secure random number generator — /dev/urandom on Linux and macOS, BCryptGenRandom on Windows — and outputs the result in the encoding you specify. This tool uses crypto.getRandomValues(), the browser's CSPRNG, which draws from the same OS source.

base64 vs hex — which to use?

  • base64 — more compact (33% shorter). Used by Auth.js (AUTH_SECRET), HMAC signing keys, and Django password hashers. Output may contain +, /, and = — quote values in your .env.
  • hex — longer but URL-safe and shell-safe without quoting. Used by Rails (SECRET_KEY_BASE, RAILS_MASTER_KEY), API tokens, and webhook secrets.

Common commands and what they're for

  • openssl rand -base64 32 — 44-char base64. Used for AUTH_SECRET, SESSION_SECRET.
  • openssl rand -hex 32 — 64-char hex. Used for API tokens, webhook secrets.
  • openssl rand -hex 16 — 32-char hex. Used for RAILS_MASTER_KEY, AES-128 keys.
  • openssl rand -base64 48 — 64-char base64. Used for HS384 JWT secrets.

Frequently asked questions

Is this as secure as running openssl rand locally?

Yes. This tool uses crypto.getRandomValues, the browser's CSPRNG, which draws from the same OS entropy pool (/dev/urandom on Linux/macOS, BCryptGenRandom on Windows) that OpenSSL uses. The output is statistically equivalent — there is no practical security difference.

When should I use -hex vs -base64?

Use hex when you need a shell-safe, URL-safe token with no special characters (Rails SECRET_KEY_BASE, API tokens, database tokens). Use base64 when you need a shorter representation — base64 is 33% shorter for the same bytes and is standard for HMAC signing keys (AUTH_SECRET, JWT secrets). Note that base64 output may contain +, /, and = characters that need quoting in .env files.

How many bytes should I generate?

32 bytes (256 bits) is the minimum for most cryptographic secrets and matches what openssl rand -base64 32 and openssl rand -hex 32 produce. Use 16 bytes for AES-128 keys or RAILS_MASTER_KEY. Use 48 or 64 bytes for HS384/HS512 JWT secrets.

Is the output sent to a server?

No. The random bytes are generated entirely in your browser using crypto.getRandomValues and never leave your machine.

Related tools

coming soon

Get notified when env syncing launches

We're building a tiny tool to keep .env files in sync across teammates and environments. Leave your email — no spam, just a single launch ping.