On the whitepaper, it says
Every user device (except the primary one) must link itself to the user account. There must already be an primary device registered with Comm that corresponds to the user. The two devices use a QR code to share a 128-bit AES secret key sk, which is used to secure communication between them during the protocol.
Unless I missed something, my understanding was that there was no specific requirements to the key, though feel free to correct me.
(As a side note, I'm noticing its a 128-bit key and not a 256-bit key, so I should probably use crypto.randomBytes(16) instead and update this)
Can we use any random string as an AES-256 key? Or are there some additional requirements?
The key must be exactly 256 bits in length and it just needs to be a random sequence of bytes. No other requirements.