This does not get enough attention.
Out of the box Coldfusion does not have strong encryption and will not generate keys higher than 128 bits. You must upgrade the underlying Java library in order to gain access to strong encryption. Currently the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 download is located here. Download the file, decompress it, and then replace the existing US_export_policy.jar & local_policy.jar files from your Coldfusion install with the ones that you’ve just downloaded. After restarting Coldfusion you will be able to use the GenerateSecretKey function to create keys stronger than 128 bits.
This has been tested to work with CF8 & CF9.
Replacing the files did not cause errors in CF7, but in CF7 the GenerateSecretKey function only takes one argument which is the encryption algorithm and does not allow for a key length to be specified. Perhaps those of you who know java will be able to access the underlying encryption library directly and still get it to work in CF7?
UPDATE: I tried this and it still seems to not work.
UPDATE: Per Jason Dean’s comment below: for this to work in CF7 you need to use a different library. The strong encryption library for CF7 can be downloaded here.