But you can key AES-256 with partial output from SHA-512. You would just split the output in half. But might as well just use SHA-256. I believe it is also debatable if it would be safer to use SHA-512 or SHA-256. I have read some things indicating that SHA-256 would be safer, but one cryptographer I talked with said he would make the case that it is equally safe to use half a SHA-512 output as it is to use an entire SHA-256 output. The thing is, cryptographic hash functions distill and evenly distribute randomness. At least, this is according to one thing I read a long time ago when I was first learning about cryptographic hashes, and I think it is true. So if you feed SHA-256 1 bit of entropy, the output 256 bits will have 1 bit of entropy evenly distributed through out them. This is the distributive property of cryptographic hash functions, the distillation property is that if you feed it 1000 bits of data which contain 1 bit of entropy, the output hash will have 1 bit of entropy in 256 bits of data. So if this is a correct understanding of cryptographic hash functions, it would seem that it would be safer to use SHA-256 to key AES-256, because let's say your password contains 256 bits of entropy. You feed the password to the hash function and the output hash has 256 bits of entropy. If you use SHA-512 and feed it a password with 256 bits of entropy, the output also has 256 bits of entropy, but now it is spread over 512 bits. When you take half of those bits to key AES-256, it would seem like you are only actually getting 128 bits of security, as each bit from the hash function has half a bit entropy due to the distributive property of cryptographic hash functions. I am not sure if this happens in practice. From what I have read about cryptographic hashing functions, it seems like it should happen this way, and that it would be safer to use SHA-256 for the hash function to generate a key for AES-256. But like I said, one crytpographer said he would argue that both methods are equally secure.