Generating an AES key

An AES key is nothing more than a random bitstring of the right length. For a 128-bit AES key you need 16 bytes, for a 256-bit AES key you need 32 bytes.

If you need to generate your own AES key for encrypting data, you should use a good random source. The strength of the key depends on the unpredictability of the random.

mbed TLS includes the CTR-DRBG module and an Entropy Collection module to help you with making an AES key generator for your key.

In order to use you should make sure you have these modules enabled in config.h (MBEDTLS_CTR_DRBG_C and MBEDTLS_ENTROPY_C), see "How do I configure mbed TLS".

Include their headers in your code:

#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"

Then add the following variable definitions to your code:

mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
unsigned char key[32];

char *pers = "aes generate key";
int ret;

The personalization string should be unique to your application in order to add some personalized starting randomness to your random sources.

Create AES key

Then initialize the entropy pool and the random source and extract data for your key. In this case we generate 32 bytes (256 bits) of random data.

mbedtls_entropy_init( &entropy );

mbedtls_ctr_drbg_init( &ctr_drbg );

if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
    (unsigned char *) pers, strlen( pers ) ) ) != 0 )
{
    printf( " failed\n ! mbedtls_ctr_drbg_init returned -0x%04x\n", -ret );
    goto exit;
}

if( ( ret = mbedtls_ctr_drbg_random( &ctr_drbg, key, 32 ) ) != 0 )
{
    printf( " failed\n ! mbedtls_ctr_drbg_random returned -0x%04x\n", -ret );
    goto exit;
}

Now you can use the data in key as a 256-bit AES key.

Did this help?