Secrets are best created with random data. Thus, there is no external data that could help an attacker infer or guess part or all of a key. Of course, this depends on how much protection your secret key needs. Java includes some random number generators in java.util.Random (with JDK1.0). Unless you have backward compatibility issues, Java 6 has java.security.SecureRandom that complies with FIPS 140-2 requirements. Java libraries are not really random, but this is probably good enough for most applications. If you need the best random data, you should go for a random hardware based generator.