diff --git a/Console/GenerateEncryptionKey.php b/Console/GenerateEncryptionKey.php
index 756c947..644f2e2 100644
--- a/Console/GenerateEncryptionKey.php
+++ b/Console/GenerateEncryptionKey.php
@@ -18,6 +18,8 @@
 class GenerateEncryptionKey extends Command
 {
     public const INPUT_KEY_FORCE = 'force';
+    public const INPUT_KEY_KEY = 'key';
+    public const INPUT_KEY_KEY_SHORTCUT = 'k';
 
     /**
      * @param ChangeEncryptionKeyService $changeEncryptionKey
@@ -51,6 +53,12 @@ protected function configure()
                 null,
                 InputOption::VALUE_NONE,
                 'Whether to force this action to take effect'
+            ),
+            new InputOption(
+                self::INPUT_KEY_KEY,
+                self::INPUT_KEY_KEY_SHORTCUT,
+                InputOption::VALUE_OPTIONAL,
+                'The new crypt key to use for re-encryption (32 chars). If not set, the new key will be generated'
             )
         ];
 
@@ -68,6 +76,14 @@ protected function configure()
      */
     protected function execute(InputInterface $input, OutputInterface $output): int
     {
+        $newKey = null;
+        if ($input->getOption(self::INPUT_KEY_KEY)) {
+            $newKey = $input->getOption(self::INPUT_KEY_KEY);
+            $output->writeln('<info>The provided crypt key will be used for re-encryption.</info>');
+        } else {
+            $output->writeln('<info>A new key will be generated for re-encryption, use "--key" to specify a custom key.</info>');
+        }
+
         if (!$input->getOption(self::INPUT_KEY_FORCE)) {
             $output->writeln('<info>Run with --force to generate a new key. This will decrypt and reencrypt values in core_config_data and saved credit card info</info>');
             return Cli::RETURN_FAILURE;
@@ -86,7 +102,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
             $this->emulation->startEnvironmentEmulation(0, 'adminhtml');
             $output->writeln('Generating a new encryption key using the magento core class');
             $this->changeEncryptionKey->setOutput($output);
-            $this->changeEncryptionKey->changeEncryptionKey();
+            $this->changeEncryptionKey->changeEncryptionKey($newKey);
             $this->emulation->stopEnvironmentEmulation();
             $output->writeln('Cleaning cache');
 
diff --git a/README.md b/README.md
index 9e419cf..5b01750 100644
--- a/README.md
+++ b/README.md
@@ -32,10 +32,12 @@ This is a rough list of steps that should be followed to prevent attacks with Co
 
 This should be every merchant's **priority!** Install this module and generate a new key with: 
 
-`php bin/magento gene:encryption-key-manager:generate`
+`php bin/magento gene:encryption-key-manager:generate [--key=MY_32_CHAR_CRYPT_KEY]`
 
 This will force the JWT factory to use the newly generated key. Other areas of the application may continue to use the old keys. This step is the absolute priority and will help prevent attacks with CosmicSting.
 
+> Use the `--key` option to manually define the new key to use during re-encryption. If no custom key is provided, a new key will be generated.
+
 ## Fully rotate your old keys
 
 1. **Review your database** for any tables with encrypted values. Make sure your dump is `--human-readable` (magerun) or `--extended-insert=FALSE` (mysqldump) so that all values are on the same line as the `INSERT INTO` 
@@ -54,8 +56,9 @@ adobe_user_profile
 2. **Review functions** using `->hash(` from the encryptor class. Changing the keys will result in a different hash.
 3. If you have **custom logic** to handle that, it will be something you need to work that out manually.
 3. **Generate a new key** `php bin/magento gene:encryption-key-manager:generate`
-   1. `Magento\Catalog\Model\View\Asset\Image` will continue to use the key at the `0` index
-   1. `Magento\JwtUserToken\Model\SecretBasedJwksFactory` will only use the most recently generated key at the highest index
+   1. You can specify the new crypt key to use with `php bin/magento gene:encryption-key-manager:generate --key=MY_32_CHAR_CRYPT_KEY`
+   2. `Magento\Catalog\Model\View\Asset\Image` will continue to use the key at the `0` index
+   3. `Magento\JwtUserToken\Model\SecretBasedJwksFactory` will only use the most recently generated key at the highest index
 4. **Fix missing config values** `php bin/magento gene:encryption-key-manager:reencrypt-unhandled-core-config-data`
    1. Re-run to verify `php bin/magento gene:encryption-key-manager:reencrypt-unhandled-core-config-data`
 4. **Fix 2FA data** `php bin/magento gene:encryption-key-manager:reencrypt-tfa-data`