Usage in Deno
import { pbkdf2 } from "node:crypto";
pbkdf2(password: BinaryLike,salt: BinaryLike,iterations: number,keylen: number,digest: string,callback: (err: Error | null,derivedKey: Buffer,) => void,): void
Provides an asynchronous Password-Based Key Derivation Function 2 (PBKDF2)
implementation. A selected HMAC digest algorithm specified by digest
is
applied to derive a key of the requested byte length (keylen
) from thepassword
, salt
and iterations
.
The supplied callback
function is called with two arguments: err
andderivedKey
. If an error occurs while deriving the key, err
will be set;
otherwise err
will be null
. By default, the successfully generatedderivedKey
will be passed to the callback as a Buffer
. An error will be
thrown if any of the input arguments specify invalid values or types.
The iterations
argument must be a number set as high as possible. The
higher the number of iterations, the more secure the derived key will be,
but will take a longer amount of time to complete.
The salt
should be as unique as possible. It is recommended that a salt is
random and at least 16 bytes long. See NIST SP 800-132 for details.
When passing strings for password
or salt
, please consider caveats when using strings as inputs to cryptographic APIs
.
const { pbkdf2, } = await import('node:crypto'); pbkdf2('secret', 'salt', 100000, 64, 'sha512', (err, derivedKey) => { if (err) throw err; console.log(derivedKey.toString('hex')); // '3745e48...08d59ae' });
An array of supported digest functions can be retrieved using getHashes.
This API uses libuv's threadpool, which can have surprising and
negative performance implications for some applications; see the UV_THREADPOOL_SIZE
documentation for more information.
password: BinaryLike
salt: BinaryLike
void