<- Back
key derivation
openssl
List supported algorithms
openssl list -kdf-algorithms
HKDF
openssl kdf [-binary] -keylen 10 -kdfopt digest:SHA2-256 -kdfopt key:secret [-kdfopt salt:salt] -kdfopt info:label HKDF
Argon2
openssl kdf -keylen 16 -kdfopt pass:secret -kdfopt salt:saltsalt -kdfopt iter:2048 -kdfopt memcost:8 Argon2id
The salt in HKDF is optional, see here.
Which algorithm to use?
From ChatGPT:
If you’re:
- Deriving from a secure key (like your GPG private key): use HKDF
- Using a password or passphrase: use PBKDF2 (or even better: Argon2)
- Working under FIPS/NIST or enterprise compliance: use SSKDF
Argon2: i vs. d vs. id
From ChatGPT:
TL;DR — Which one should you use? ✅ Use Argon2id in almost all cases. It’s the most secure and recommended hybrid — combining the best of both i and d.