GenerateHKDFKey()
Derives cryptographic key material from a secret using HKDF (HMAC-based Key Derivation Function).
Use this to turn a shared secret or master key into one or more strong encryption keys.
Requires Extension: Crypto Extension
GenerateHKDFKey( algorithm=string, inputKeyMaterial=any, salt=any, info=any, outputLength=numeric );
Returns: binary
| Argument | Description |
|---|---|
|
algorithm
string,
required
|
edit
Hash algorithm: SHA256, SHA384, or SHA512 |
|
inputKeyMaterial
any,
required
|
edit
Input key material (secret) |
|
salt
any,
required
|
edit
Salt value (can be empty string or null) |
|
info
any,
required
|
edit
Context/application info (can be empty string or null) |
|
outputLength
numeric,
required
|
edit
Number of bytes to derive |
Usage Notes
editHKDF is for deriving cryptographic keys from existing key material (e.g. a Diffie-Hellman shared secret, a master key, or a high-entropy random value). It is NOT suitable for password hashing — use Argon2Hash() or BCryptHash() for passwords.
Use GenerateHKDFKey() when you need a single derived key. If you need multiple keys from the same input (e.g. separate encryption and authentication keys), use the two-phase API (HKDFExtract() + HKDFExpand()) which is more efficient than calling GenerateHKDFKey multiple times.
The info parameter provides context separation — different info strings produce different keys from the same input. Use descriptive strings like "encryption key" or "authentication key".
Examples
edit// HKDF (HMAC-based Key Derivation Function) derives strong key material from a secret
// Common use: turning a password or shared secret into one or more encryption keys
// One-shot key derivation: algorithm, input key material, salt, info, output length
key = GenerateHKDFKey( "SHA256", "my-secret", "random-salt", "encryption", 32 );
// key is a 32-byte binary value suitable for AES-256
// HKDF is deterministic - same inputs always produce the same key
key1 = GenerateHKDFKey( "SHA256", "secret", "salt", "info", 32 );
key2 = GenerateHKDFKey( "SHA256", "secret", "salt", "info", 32 );
// key1 == key2
// Use different "info" strings to derive multiple keys from the same secret
// This is how you'd create separate keys for different purposes
encKey = GenerateHKDFKey( "SHA256", "master-secret", "salt", "encryption", 32 );
authKey = GenerateHKDFKey( "SHA256", "master-secret", "salt", "authentication", 32 );
// encKey != authKey
// Supports SHA256, SHA384, and SHA512
key = GenerateHKDFKey( "SHA384", "secret", "salt", "info", 48 );
key = GenerateHKDFKey( "SHA512", "secret", "salt", "info", 64 );
// Salt and info can be empty strings (but providing them is recommended)
key = GenerateHKDFKey( "SHA256", "secret", "", "", 32 );
// Binary input is also accepted
ikm = charsetDecode( "secret", "utf-8" );
salt = charsetDecode( "salt", "utf-8" );
key = GenerateHKDFKey( "SHA256", ikm, salt, "info", 32 );
See also
- Cryptography
- HKDFExpand()
- HKDFExtract()
- Search Issue Tracker open_in_new
- Search Lucee Test Cases open_in_new (good for further, detailed examples)