RSA / AES Key Generator
Generate cryptographic keys for RSA (asymmetric encryption) and AES (symmetric encryption). Create secure keys for SSL/TLS, data encryption, and digital signatures.
RSA / AES Key Generator
Generate cryptographic keys for RSA (asymmetric encryption) and AES (symmetric encryption). Create secure keys for SSL/TLS, data encryption, and digital signatures.
Higher = More secure but slower
RSA Key Size Comparison
| Key Size | Security Level | Status | Recommended Use | Brute-Force Time* |
|---|---|---|---|---|
| 1024-bit | Insecure | Deprecated | Legacy systems only | Hours to days |
| 2048-bit | Secure | Minimum recommended | General purpose | Years with classical computers |
| 3072-bit | Very Secure | Recommended | New systems, SSL/TLS | Decades with classical computers |
| 4096-bit | Extremely Secure | High security | Sensitive data, long-term | Centuries with classical computers |
AES Encryption Modes
ECB - Electronic Codebook
Never use for sensitive data
- Simple
- Parallelizable
- No IV needed
CBC - Cipher Block Chaining
General encryption
- Requires IV
- Sequential
- Confidentiality only
GCM - Galois/Counter Mode
Recommended default
- Authenticated encryption
- Parallelizable
- Includes MAC
CTR - Counter Mode
Streaming, random access
- No padding needed
- Parallelizable
- Turns block cipher to stream
Common Use Cases
SSL/TLS Certificates
RSAWebsite encryption and authentication
Key: 2048-bit or 3072-bit • Lifetime: 1-2 yearsAPI Authentication
RSAJWT token signing and verification
Key: 2048-bit • Lifetime: 1 yearDatabase Encryption
AESEncrypt sensitive fields at rest
Key: 256-bit • Lifetime: 6-12 monthsFile Encryption
AESEncrypt files before cloud storage
Key: 256-bit • Lifetime: Per file or sessionKey Management Best Practices
Secure Storage
Use HSMs, key management services, or encrypted key stores. Never store keys in source code.Regular Rotation
Rotate keys periodically based on sensitivity. Have a key rotation policy and procedure.Access Control
Implement least privilege access. Audit key usage. Separate duties for key management.Frequently Asked Questions
RSA is asymmetric encryption (public/private key pair) used for key exchange and digital signatures. AES is symmetric encryption (single shared key) used for bulk data encryption. RSA is slower but enables secure key exchange, while AES is faster for encrypting large amounts of data.
For production: 2048-bit (minimum), 3072-bit (recommended for new systems), 4096-bit (high security). 1024-bit is considered insecure and should not be used. Higher bit sizes are more secure but slower for encryption/decryption.
128-bit: Good security, fast. 192-bit: Better security. 256-bit: Maximum security (recommended for sensitive data). All AES key sizes are considered secure against brute-force attacks with current technology.
An IV is a random value used with the encryption key to ensure that identical plaintexts produce different ciphertexts. It prevents pattern recognition attacks. IVs should be random, unique for each encryption, and don't need to be secret.
Never store keys in source code. Use environment variables, key management services (AWS KMS, HashiCorp Vault), hardware security modules (HSM), or secure configuration files. Implement key rotation and access controls.
PEM (Privacy-Enhanced Mail) is Base64-encoded ASCII text with header/footer lines. DER (Distinguished Encoding Rules) is binary format. PEM is human-readable and commonly used for certificates and keys. DER is more compact and used internally.
Technically yes, but it's a security risk. Best practice is to use separate key pairs: one for encryption/decryption and another for signing/verification. This provides better security and key management.
RSA keys: 1-2 years for long-term keys, more frequently for session keys. AES keys: Based on data sensitivity and encryption volume (monthly to annually). Immediate rotation after security incidents or suspected breaches.
CBC (Cipher Block Chaining) provides confidentiality only. GCM (Galois/Counter Mode) provides both confidentiality and authenticity (detects tampering). GCM is generally preferred as it provides authenticated encryption.
