# GenerateHKDFKey() Derives cryptographic key material from a secret using HKDF (HMAC-based Key Derivation Function). Use this to turn a shared secret or master key into one or more strong encryption keys. **Requires Extension:** [Crypto Extension](https://download.lucee.org/#17AB52DE-B300-A94B-E058FC978BE4542D) ``` GenerateHKDFKey( algorithm=string, inputKeyMaterial=any, salt=any, info=any, outputLength=numeric ); ``` **Returns:** binary # Arguments | Argument | Type | Required | Description | Default | |----------|------|----------|-------------|---------| | algorithm | string | Yes | Hash algorithm: SHA256, SHA384, or SHA512 | | | inputKeyMaterial | any | Yes | Input key material (secret) | | | salt | any | Yes | Salt value (can be empty string or null) | | | info | any | Yes | Context/application info (can be empty string or null) | | | outputLength | numeric | Yes | Number of bytes to derive | | # Usage Notes HKDF is for deriving cryptographic keys from existing key material (e.g. a Diffie-Hellman shared secret, a master key, or a high-entropy random value). **It is NOT suitable for password hashing** — use [Argon2Hash()](argon2hash.md) or [BCryptHash()](bcrypthash.md) for passwords. Use [GenerateHKDFKey()](generatehkdfkey.md) when you need a single derived key. If you need multiple keys from the same input (e.g. separate encryption and authentication keys), use the two-phase API ([HKDFExtract()](hkdfextract.md) + [HKDFExpand()](hkdfexpand.md)) which is more efficient than calling GenerateHKDFKey multiple times. The `info` parameter provides context separation — different info strings produce different keys from the same input. Use descriptive strings like "encryption key" or "authentication key". # Examples ```cfml // HKDF (HMAC-based Key Derivation Function) derives strong key material from a secret // Common use: turning a password or shared secret into one or more encryption keys // One-shot key derivation: algorithm, input key material, salt, info, output length key = GenerateHKDFKey( "SHA256", "my-secret", "random-salt", "encryption", 32 ); // key is a 32-byte binary value suitable for AES-256 // HKDF is deterministic - same inputs always produce the same key key1 = GenerateHKDFKey( "SHA256", "secret", "salt", "info", 32 ); key2 = GenerateHKDFKey( "SHA256", "secret", "salt", "info", 32 ); // key1 == key2 // Use different "info" strings to derive multiple keys from the same secret // This is how you'd create separate keys for different purposes encKey = GenerateHKDFKey( "SHA256", "master-secret", "salt", "encryption", 32 ); authKey = GenerateHKDFKey( "SHA256", "master-secret", "salt", "authentication", 32 ); // encKey != authKey // Supports SHA256, SHA384, and SHA512 key = GenerateHKDFKey( "SHA384", "secret", "salt", "info", 48 ); key = GenerateHKDFKey( "SHA512", "secret", "salt", "info", 64 ); // Salt and info can be empty strings (but providing them is recommended) key = GenerateHKDFKey( "SHA256", "secret", "", "", 32 ); // Binary input is also accepted ikm = charsetDecode( "secret", "utf-8" ); salt = charsetDecode( "salt", "utf-8" ); key = GenerateHKDFKey( "SHA256", ikm, salt, "info", 32 ); ``` # Categories [Cryptography](../../categories/crypto.md) # See Also [HKDFExpand()](hkdfexpand.md), [HKDFExtract()](hkdfextract.md)