Need to generate a constant hash key from an ID, or compound ID, but don't want it to be too easy for a 3rd party to brute force generate (assuming they know the ID domain and in a compound the right ordering, and other transformations)? You may be tempted to add a secret string to the key and run it through SHA-256. But this is what HMAC is for and it addresses a specific problem with using just a SHA: length extension attacks.

The wikipedia page on HMAC does the topic justice. The synopsis is that simply concatenating (key || message) or (message || key ) or even (key1 || message || key2 ) all have weaknesses. More to the point, there's no need to consider that approach because HMAC does this job without those problems. A key security point:

The cryptographic strength of the HMAC depends upon the size of the secret key that is used. The most common attack against HMACs is brute force to uncover the secret key. HMACs are substantially less affected by collisions than their underlying hashing algorithms alone.

https://en.wikipedia.org/wiki/HMAC#cite_note-8

How to generate

A simple example using openssl:

% openssl dgst -sha256 -hmac "my key"
foobar
4e77e850fea2bcb0ddf3681d2a0d79cfb7373f4a36b0c5fd7f754d7853f74946

This is not a good key! As the above citation indicates, brute force attacks become impractical with long keys. openssl has PBKDF2 built in for some utilities, but not a way to generate a password only. The enc module purports to have such a feature (-P) but I've been unable to obtain that result.