home / skills / openclaw / skills / openssl

openssl skill

safe

This skill generates cryptographically secure random data and secrets using OpenSSL, suitable for passwords, API keys, and tokens.

npx playbooks add skill openclaw/skills --skill openssl

Review the files below or copy the command above to add this skill to your agents.

Files (2)

SKILL.md

1.1 KB

---
name: openssl
description: Generate secure random strings, passwords, and cryptographic tokens using OpenSSL. Use when creating passwords, API keys, secrets, or any secure random data.
---

# OpenSSL Secure Generation

Generate cryptographically secure random data using `openssl rand`.

## Password/Secret Generation

```bash
# 32 random bytes as base64 (43 chars, URL-safe with tr)
openssl rand -base64 32 | tr '+/' '-_' | tr -d '='

# 24 random bytes as hex (48 chars)
openssl rand -hex 24

# alphanumeric password (32 chars)
openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32
```

## Common Lengths

| Use Case | Command |
|----------|---------|
| Password (strong) | `openssl rand -base64 24` |
| API key | `openssl rand -hex 32` |
| Session token | `openssl rand -base64 48` |
| Short PIN (8 digits) | `openssl rand -hex 4 | xxd -r -p | od -An -tu4 | tr -d ' ' | head -c 8` |

## Notes

- `-base64` outputs ~1.33x the byte count in characters
- `-hex` outputs 2x the byte count in characters
- Pipe through `tr -dc` to filter character sets
- Always use at least 16 bytes (128 bits) for secrets

Overview

This skill generates cryptographically secure random strings, passwords, and tokens using OpenSSL. It provides ready-to-run commands for base64, hex, and constrained-character outputs suitable for secrets, API keys, and session tokens. It is focused on practical, command-line generation patterns you can use immediately. The outputs are designed to meet common entropy recommendations for secrets.

How this skill works

The skill uses the openssl rand command to produce raw random bytes, then encodes them as base64 or hex or filters them to desired character sets. It explains how byte length maps to output length (base64 ≈1.33x, hex = 2x) and shows simple Unix pipes (tr, head) to sanitize or truncate results. Examples target common secret sizes and formats so you can copy commands for automation or manual use.

When to use it

Creating strong passwords for user accounts or admin access
Generating API keys and long-lived tokens for services
Producing session tokens or CSRF tokens for web applications
Creating random secrets for encryption keys and config files
Making short numeric PINs or temporary codes for verification

Best practices

Always use at least 16 bytes (128 bits) of entropy for secrets
Prefer base64 or hex for reliable encoding; strip padding or unsafe chars if needed
Filter with tr -dc to restrict character sets when external constraints exist
Avoid reusing generated secrets and store them securely (vault or key management)
Test output lengths for your target system to ensure compatibility

Example use cases

Generate a URL-safe 32-character secret: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='
Create a 64-character API key in hex: openssl rand -hex 32
Produce a 32-character alphanumeric password: openssl rand -base64 48 | tr -dc 'a-zA-Z0-9' | head -c 32
Make a short 8-digit PIN from random bytes using xxd/od for numeric output
Generate session tokens (high entropy) with openssl rand -base64 48 for web sessions

FAQ

How many bytes should I use for an API key?

Use at least 16 bytes (128 bits); 32 bytes (256 bits) is common for long-lived API keys.

Why filter base64 output with tr?

Base64 includes + and / and padding = which may be unsafe in URLs or constrained systems; tr replaces or removes those characters.