What does openssl rand do?
openssl rand reads from the operating system's cryptographically secure random number generator — /dev/urandom on Linux and macOS, BCryptGenRandom on Windows — and outputs the result in the encoding you specify. This tool uses crypto.getRandomValues(), the browser's CSPRNG, which draws from the same OS source.
base64 vs hex — which to use?
- base64 — more compact (33% shorter). Used by Auth.js (
AUTH_SECRET), HMAC signing keys, and Django password hashers. Output may contain+,/, and=— quote values in your.env. - hex — longer but URL-safe and shell-safe without quoting. Used by Rails (
SECRET_KEY_BASE,RAILS_MASTER_KEY), API tokens, and webhook secrets.
Common commands and what they're for
openssl rand -base64 32— 44-char base64. Used forAUTH_SECRET,SESSION_SECRET.openssl rand -hex 32— 64-char hex. Used for API tokens, webhook secrets.openssl rand -hex 16— 32-char hex. Used forRAILS_MASTER_KEY, AES-128 keys.openssl rand -base64 48— 64-char base64. Used for HS384 JWT secrets.