diff --git a/MANIFEST.SKIP b/MANIFEST.SKIP
index 84829ce43..ecbf12e2c 100644
--- a/MANIFEST.SKIP
+++ b/MANIFEST.SKIP
@@ -50,6 +50,6 @@ nodist/
 /simv.daidir/
 /vc_hdrs.h$
 /csrc/
-obj_dir/.*
+obj_dir.*
 TAGS
 .*~
diff --git a/bin/verilator b/bin/verilator
index 58a5bd21f..fa3ecda1f 100755
--- a/bin/verilator
+++ b/bin/verilator
@@ -312,6 +312,7 @@ detailed descriptions in L</"VERILATION ARGUMENTS"> for more information.
      -G<name>=<value>           Overwrite toplevel parameter
     --gdb                       Run Verilator under GDB interactively
     --gdbbt                     Run Verilator under GDB for backtrace
+    --generate-key              Create random key for --protect-key
     --getenv <var>              Get environment variable with defaults
     --help                      Display this help
      -I<dir>                    Directory to search for includes
@@ -864,6 +865,11 @@ backtrace on exit, then exit GDB immediately.  Without --debug or if GDB
 doesn't seem to work, this flag is ignored.  Intended for easy creation of
 backtraces by users; otherwise see the --gdb flag.
 
+=item --generate-key
+
+Generate a true-random key suitable for use with --protect-key, print it,
+and exit immediately.
+
 =item --getenv I<variable>
 
 If the variable is declared in the environment, print it and exit
@@ -1159,10 +1165,10 @@ this into a nicer visual format and produce some related statistics.
 =item --protect-key I<key>
 
 Specifies the private key for --protect-ids. For best security this key
-should be 16 or more random bytes, a reasonable medium-security choice is
-the output of uuidgen. Typically, a key would be created by the user once
-for a given protected design library, then every Verilator run for
-subsequent versions of that library would be passed the same
+should be 16 or more random bytes, a reasonable secure choice is the output
+of C<verilator --generate-key>. Typically, a key would be created by the
+user once for a given protected design library, then every Verilator run
+for subsequent versions of that library would be passed the same
 --protect-key. Thus, if the input Verilog is similar between library
 versions (Verilator runs), the Verilated code will likewise be mostly
 similar.
diff --git a/src/V3Options.cpp b/src/V3Options.cpp
index 735b710af..1b8431cc4 100644
--- a/src/V3Options.cpp
+++ b/src/V3Options.cpp
@@ -569,7 +569,7 @@ string V3Options::protectKeyDefaulted() {
         // Create a key with a human-readable symbol-like name.
         // This conversion drops ~2 bits of entropy out of 256, shouldn't matter.
         VHashSha256 digest (V3Os::trueRandom(32));
-        m_protectKey = digest.digestSymbol();
+        m_protectKey = "VL-KEY-"+digest.digestSymbol();
     }
     return m_protectKey;
 }
@@ -858,6 +858,10 @@ void V3Options::parseOptsList(FileLine* fl, const string& optdir, int argc, char
                 shift;
                 m_gateStmts = atoi(argv[i]);
             }
+            else if (!strcmp(sw, "-generate-key")) {
+                cout<<protectKeyDefaulted()<<endl;
+                exit(0);
+            }
             else if (!strcmp(sw, "-getenv") && (i+1)<argc) {
                 shift;
                 cout<<V3Options::getenvBuiltins(argv[i])<<endl;
diff --git a/test_regress/t/t_flag_generate_key.pl b/test_regress/t/t_flag_generate_key.pl
new file mode 100755
index 000000000..d64a3bcee
--- /dev/null
+++ b/test_regress/t/t_flag_generate_key.pl
@@ -0,0 +1,21 @@
+#!/usr/bin/perl
+if (!$::Driver) { use FindBin; exec("$FindBin::Bin/bootstrap.pl", @ARGV, $0); die; }
+# DESCRIPTION: Verilator: Verilog Test driver/expect definition
+#
+# Copyright 2008 by Wilson Snyder. This program is free software; you can
+# redistribute it and/or modify it under the terms of either the GNU
+# Lesser General Public License Version 3 or the Perl Artistic License
+# Version 2.0.
+
+scenarios(vlt => 1);
+
+compile(
+    v_flags2 => ["--generate-key"],
+    expect => qr/VL-KEY/,
+    verilator_make_gmake => 0,
+    make_top_shell => 0,
+    make_main => 0,
+    );
+
+ok(1);
+1;
diff --git a/test_regress/t/t_protect_ids.pl b/test_regress/t/t_protect_ids.pl
index cff3e8341..b107ea36c 100755
--- a/test_regress/t/t_protect_ids.pl
+++ b/test_regress/t/t_protect_ids.pl
@@ -21,6 +21,7 @@ foreach my $filename (glob ("$Self->{obj_dir}/*_PS*.cpp"
 
 compile(
     verilator_flags2 => ["--protect-ids",
+                         "--protect-key SECRET_KEY",
                          "--trace",
                          "--coverage",
                          "-Wno-INSECURE",
@@ -39,10 +40,10 @@ if ($Self->{vlt_all}) {
     # Check for secret in any outputs
     my $any;
     foreach my $filename (glob $Self->{obj_dir}."/*.[ch]*") {
-        if ($filename =~ /secret/) {
+        if ($filename =~ /secret/i) {
             $Self->error("Secret found in a filename: ".$filename);
         }
-        file_grep_not($filename, qr/secret/);
+        file_grep_not($filename, qr/secret/i);
         $any = 1;
     }
     $any or $Self->error("No outputs found");
diff --git a/test_regress/t/t_protect_ids_key.out b/test_regress/t/t_protect_ids_key.out
index 173c1b1e0..036238fb8 100644
--- a/test_regress/t/t_protect_ids_key.out
+++ b/test_regress/t/t_protect_ids_key.out
@@ -1,41 +1,41 @@
 <?xml version="1.0" ?>
 <!-- DESCRIPTION: Verilator output: XML representation of netlist -->
 <verilator_id_map>
-  <map from="PSbKTb" to="TOP__t__DOT__secret_inst"/>
+  <map from="PSlhR1" to="TOP__t__DOT__secret_inst"/>
   <map from="TOPp" to="TOPp"/>
-  <map from="PSbvpV" to="Vt_protect_ids_key__Vcb_dpix_a_func_t"/>
-  <map from="PSkBNa" to="Vt_protect_ids_key__Vcb_dpix_a_task_t"/>
-  <map from="PS49FI" to="_Syms"/>
-  <map from="PSA0ET" to="__PVT__secret_cyc"/>
-  <map from="PS7KZL" to="__PVT__secret_cyc_r"/>
-  <map from="PShnzQ" to="__PVT__secret_r"/>
-  <map from="PS39wi" to="__PVT__t__DOT__secret_inst"/>
-  <map from="PSgHnb" to="__Vclklast__TOP__clk"/>
-  <map from="PSTDrn" to="__Vconfigure"/>
-  <map from="PSAer0" to="__Vdly__secret_cyc"/>
-  <map from="PSswQ3" to="__Vdly__t__DOT__secret_inst2__DOT__secret_cyc"/>
-  <map from="PSH9UL" to="__Vdpiexp_dpix_a_func_TOP__t__DOT__secret_inst"/>
-  <map from="PSabB6" to="__Vdpiexp_dpix_a_task_TOP__t__DOT__secret_inst"/>
-  <map from="PS8F1t" to="__Vdpiimwrap_dpii_a_func_TOP__t__DOT__secret_inst"/>
-  <map from="PSBPcq" to="__Vdpiimwrap_dpii_a_task_TOP__t__DOT__secret_inst"/>
-  <map from="PSY85C" to="__Vfunc_dpii_a_func__0__Vfuncout"/>
-  <map from="PSUcyn" to="__Vscope_t__secret_inst"/>
-  <map from="PS27AG" to="__Vtask_dpix_a_task__1__i"/>
-  <map from="PSgcfL" to="_change_request"/>
-  <map from="PSNQUa" to="_ctor_var_reset"/>
-  <map from="PSeP2H" to="_eval"/>
-  <map from="PS8Ytd" to="_eval_debug_assertions"/>
-  <map from="PSGiE1" to="_eval_initial"/>
-  <map from="PSCvUR" to="_eval_initial_loop"/>
-  <map from="PSrrKr" to="_eval_settle"/>
-  <map from="PSVBHr" to="_sequent__TOP__1"/>
-  <map from="PSJVjb" to="_sequent__TOP__t__DOT__secret_inst__1"/>
-  <map from="PSnkZP" to="clk"/>
-  <map from="PSLGUV" to="secret_inst"/>
-  <map from="PSCwHq" to="secret_sub"/>
-  <map from="PSwmbl" to="t"/>
-  <map from="PS4YQ7" to="t/t_protect_ids.v"/>
-  <map from="PSkXXg" to="t__DOT__secret_inst2__DOT__secret_cyc"/>
+  <map from="PS5Fdb" to="Vt_protect_ids_key__Vcb_dpix_a_func_t"/>
+  <map from="PSlYpp" to="Vt_protect_ids_key__Vcb_dpix_a_task_t"/>
+  <map from="PSOAAo" to="_Syms"/>
+  <map from="PSm6SZ" to="__PVT__secret_cyc"/>
+  <map from="PSfqIT" to="__PVT__secret_cyc_r"/>
+  <map from="PStVCQ" to="__PVT__secret_r"/>
+  <map from="PSfqS0" to="__PVT__t__DOT__secret_inst"/>
+  <map from="PS8pOJ" to="__Vclklast__TOP__clk"/>
+  <map from="PSx9Nt" to="__Vconfigure"/>
+  <map from="PSrjMj" to="__Vdly__secret_cyc"/>
+  <map from="PSAW38" to="__Vdly__t__DOT__secret_inst2__DOT__secret_cyc"/>
+  <map from="PS4o5S" to="__Vdpiexp_dpix_a_func_TOP__t__DOT__secret_inst"/>
+  <map from="PStVA8" to="__Vdpiexp_dpix_a_task_TOP__t__DOT__secret_inst"/>
+  <map from="PSxbIE" to="__Vdpiimwrap_dpii_a_func_TOP__t__DOT__secret_inst"/>
+  <map from="PSIv2l" to="__Vdpiimwrap_dpii_a_task_TOP__t__DOT__secret_inst"/>
+  <map from="PS76My" to="__Vfunc_dpii_a_func__0__Vfuncout"/>
+  <map from="PSEGxK" to="__Vscope_t__secret_inst"/>
+  <map from="PS25fg" to="__Vtask_dpix_a_task__1__i"/>
+  <map from="PSHuZZ" to="_change_request"/>
+  <map from="PSyTg5" to="_ctor_var_reset"/>
+  <map from="PS8lsQ" to="_eval"/>
+  <map from="PSKZ7c" to="_eval_debug_assertions"/>
+  <map from="PSABAY" to="_eval_initial"/>
+  <map from="PSOLeN" to="_eval_initial_loop"/>
+  <map from="PSBUJ6" to="_eval_settle"/>
+  <map from="PSV5uq" to="_sequent__TOP__1"/>
+  <map from="PS8sdG" to="_sequent__TOP__t__DOT__secret_inst__1"/>
+  <map from="PScyq8" to="clk"/>
+  <map from="PSnRoO" to="secret_inst"/>
+  <map from="PSS3Gk" to="secret_sub"/>
+  <map from="PSxvlA" to="t"/>
+  <map from="PSBSVV" to="t/t_protect_ids.v"/>
+  <map from="PSB07q" to="t__DOT__secret_inst2__DOT__secret_cyc"/>
   <map from="this" to="this"/>
   <map from="vlSymsp" to="vlSymsp"/>
   <map from="vlTOPp" to="vlTOPp"/>
diff --git a/test_regress/t/t_protect_ids_key.pl b/test_regress/t/t_protect_ids_key.pl
index b51e8cd7b..503b3d5bd 100755
--- a/test_regress/t/t_protect_ids_key.pl
+++ b/test_regress/t/t_protect_ids_key.pl
@@ -12,7 +12,7 @@ scenarios(vlt => 1);
 top_filename("t/t_protect_ids.v");
 
 compile(
-    verilator_flags2 => ["--protect-ids --protect-key MY_KEY",
+    verilator_flags2 => ["--protect-ids --protect-key SECRET_KEY",
                          "t/t_protect_ids_c.cpp"],
     );