<- Back
#key
#derivation
#function
#hkdf
#pbkdf2
#bip39
#argon2
key derivation
openssl
List supported algorithms
openssl list -kdf-algorithms
HKDF
openssl kdf [-binary] -keylen 10 -kdfopt digest:SHA2-256 -kdfopt key:secret [-kdfopt salt:salt] -kdfopt info:label HKDF
Argon2
openssl kdf -binary -keylen 64 -kdfopt pass:(echo -n secret) -kdfopt hexsalt:(openssl rand -hex 16) -kdfopt iter:4 -kdfopt memcost:262144 -kdfopt lanes:4 Argon2id | xxd -plain -u -cols 99999
PBKDF2
openssl kdf -keylen 64 -kdfopt digest:sha512 -kdfopt iter:2048 -kdfopt pass:'abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about' -kdfopt salt:'mnemonicMYPASSPHRASE' pbkdf2
The salt in HKDF is optional, see here.
Which algorithm to use?
From ChatGPT:
If you’re:
- Deriving from a secure key (like your GPG private key): use HKDF
- Using a password or passphrase: use PBKDF2 (or even better: Argon2)
- Working under FIPS/NIST or enterprise compliance: use SSKDF
Argon2: i vs. d vs. id
From ChatGPT:
TL;DR — Which one should you use? ✅ Use Argon2id in almost all cases. It’s the most secure and recommended hybrid — combining the best of both i and d.