# HKDFExtract()

First step of two-phase key derivation: concentrates the entropy from a secret into a fixed-size intermediate key (PRK).

Use with HKDFExpand() to efficiently derive multiple keys from the same secret.

**Requires Extension:** [Crypto Extension](https://download.lucee.org/#17AB52DE-B300-A94B-E058FC978BE4542D)

```
HKDFExtract( algorithm=string, salt=any, inputKeyMaterial=any );
```

**Returns:** binary

# Arguments

| Argument | Type | Required | Description | Default |
|----------|------|----------|-------------|---------|
| algorithm | string | Yes | Hash algorithm: SHA256, SHA384, or SHA512 |  |
| salt | any | Yes | Salt value (can be empty string or null) |  |
| inputKeyMaterial | any | Yes | Input key material (secret) |  |

# Examples

```cfml
// HKDFExtract is the first phase of HKDF: it concentrates the entropy from the input
// into a pseudorandom key (PRK). Use this when you need to derive multiple keys
// from the same secret (more efficient than calling GenerateHKDFKey multiple times).

// Extract a pseudorandom key from a secret and salt
prk = HKDFExtract( "SHA256", "salt", "my-secret-input" );
// prk is a 32-byte binary value (matches the hash output size)

// Then use HKDFExpand to derive multiple keys from the same PRK
encKey = HKDFExpand( "SHA256", prk, "encryption key", 32 );
authKey = HKDFExpand( "SHA256", prk, "authentication key", 32 );
ivBytes = HKDFExpand( "SHA256", prk, "iv", 16 );

// This two-phase approach is equivalent to calling GenerateHKDFKey separately
// but more efficient when deriving multiple keys from the same input

// SHA384 produces a 48-byte PRK, SHA512 produces a 64-byte PRK
prk384 = HKDFExtract( "SHA384", "salt", "secret" ); // 48 bytes
prk512 = HKDFExtract( "SHA512", "salt", "secret" ); // 64 bytes
```







# Categories

[Cryptography](../../categories/crypto.md)

# See Also

[GenerateHKDFKey()](generatehkdfkey.md), [HKDFExpand()](hkdfexpand.md)