<- Back

key derivation

openssl
List supported algorithms
openssl list -kdf-algorithms
HKDF
openssl kdf [-binary] -keylen 10 -kdfopt digest:SHA2-256 -kdfopt key:secret [-kdfopt salt:salt] -kdfopt info:label HKDF
Argon2
openssl kdf -keylen 16 -kdfopt pass:secret -kdfopt salt:saltsalt -kdfopt iter:2048 -kdfopt memcost:8 Argon2id

The salt in HKDF is optional, see here.

Which algorithm to use?

From ChatGPT:

If you’re:

  • Deriving from a secure key (like your GPG private key): use HKDF
  • Using a password or passphrase: use PBKDF2 (or even better: Argon2)
  • Working under FIPS/NIST or enterprise compliance: use SSKDF

Argon2: i vs. d vs. id

From ChatGPT:

TL;DR — Which one should you use? ✅ Use Argon2id in almost all cases. It’s the most secure and recommended hybrid — combining the best of both i and d.