Monday, December 14, 2009

Keytool keystore Cannot store non-PrivateKeys

Don't believe the error, or a lot of websites....

I have a requirement to encrypt passwords in a file. I figured I'd use the java security tools to store the encryption key.

Step 1/ Generate the secret key (Using AES as encryption algorithm)
.\keytool -genseckey -alias aestest -keyalg AES -keysize 192

This results in error
keytool error: java.security.KeyStoreException: Cannot store non-PrivateKeys

After much searching, and some incorrect pointers (Keytool cannot generate symmetric keys, keytool cannot generate AES keys etc.), I found the solution. The problem is the default Keystore type is JKS. This cannot store symmetric keys. However if you change the keystore type to JCEKS then it works.

e.g.
.\keytool -genseckey -alias aestest -keyalg AES -keysize 192 -storetype JCEKS

One side effect of this is that you then need to specify the storeType in every command there-after.

e.g.
keytool -list
keytool error: java.io.IOException: Invalid keystore format

keytool -list -storetype JCEKS
Your keystore contains 3 entries

aestest, 14-Dec-2009, SecretKeyEntry,
aestest2, 14-Dec-2009, SecretKeyEntry,
test, 14-Dec-2009, SecretKeyEntry,

6 comments:

QD said...

Thanks for sharing this tip!

gilligan said...

I know this blog post is from long ago, but ...

geez thank you so much for this! i just spent quite some time googling around and tripping over false information on how the key store CANNOT store symmetric keys..

shorley said...

u r d man. thanks!

Kancha Cheena said...

Was helpful. Thanks dude!

Anonymous said...

perfect

Dana Oredson said...

Me too!

I was writing some java code to do this generation of keys and storing to a file, but I'm glad I did more research and can generate and store with keytool. Less code is better code.