diff --git a/src/SecurityTokenService/Program.cs b/src/SecurityTokenService/Program.cs
index 3c9c2f2..445544c 100644
--- a/src/SecurityTokenService/Program.cs
+++ b/src/SecurityTokenService/Program.cs
@@ -1,8 +1,8 @@
 using System;
 using System.IO;
 using System.Linq;
+using System.Security.Cryptography;
 using System.Text;
-using IdentityServer4.Models;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Hosting;
@@ -15,8 +15,14 @@ public class Program
     {
         public static void Main(string[] args)
         {
-            var secret = "secret".Sha256();
-            Console.WriteLine($"Secret: {secret}");
+            if (args.Contains("--g-aes-key"))
+            {
+                using Aes aes = Aes.Create();
+                aes.KeySize = 128; // 可以设置为 128、192 或 256 位
+                aes.GenerateKey();
+                Console.WriteLine("生成的 AES 密钥: " + Convert.ToBase64String(aes.Key));
+            }
+
             Encoding.RegisterProvider(CodePagesEncodingProvider.Instance);
 
             CreateHostBuilder(args).Build().Run();
diff --git a/src/SecurityTokenService/Startup.cs b/src/SecurityTokenService/Startup.cs
index 1110db5..42238fb 100644
--- a/src/SecurityTokenService/Startup.cs
+++ b/src/SecurityTokenService/Startup.cs
@@ -44,6 +44,14 @@ public void ConfigureServices(IServiceCollection services)
             // {
             //     keysFolder.Create();
             // }
+            // comments by lewis at 20240222
+            // 必须是 128、256 位
+
+            var dataProtectionKey = Configuration["DataProtection:Key"];
+            if (!string.IsNullOrEmpty(dataProtectionKey))
+            {
+                Util.DataProtectionKeyAes.Key = Encoding.UTF8.GetBytes(dataProtectionKey);
+            }
 
             services.AddControllers();
 
@@ -93,15 +101,6 @@ public void ConfigureServices(IServiceCollection services)
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
         public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         {
-            // comments by lewis at 20240222
-            // 必须是 128、256 位
-
-            var dataProtectionKey = Configuration["DataProtection:Key"];
-            if (!string.IsNullOrEmpty(dataProtectionKey))
-            {
-                Util.DataProtectionKeyAes.Key = Encoding.UTF8.GetBytes(dataProtectionKey);
-            }
-
             var logger = app.ApplicationServices.GetRequiredService<ILoggerFactory>().CreateLogger("Startup");
             IdentitySeedData.Load(app);
 
diff --git a/src/SecurityTokenService/appsettings.json b/src/SecurityTokenService/appsettings.json
index 0a63043..df7ef93 100644
--- a/src/SecurityTokenService/appsettings.json
+++ b/src/SecurityTokenService/appsettings.json
@@ -59,7 +59,7 @@
     }
   },
   "DataProtection": {
-    "Key": "yD7wZi7jefkVwLM5"
+    "Key": ""
   },
   "Aliyun": {
     "AccessKey": "",