xref: /freebsd/secure/usr.bin/openssl/man/openssl-kdf.1 (revision cccdaf507eee8fb34494b4624eb85bb951e323c8)
Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)

Standard preamble:
========================================================================
..
..
.. Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.

If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.

Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF
Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================

Title "OPENSSL-KDF 1"
OPENSSL-KDF 1 "2023-06-02" "3.0.9" "OpenSSL"
For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
"NAME"
openssl-kdf - perform Key Derivation Function operations
"SYNOPSIS"
Header "SYNOPSIS" \fBopenssl kdf [-help] [-cipher] [-digest] [-mac] [-kdfopt nm:v] [-keylen num] [-out filename] [-binary] [-provider name] [-provider-path path] [-propquery propq] \fIkdf_name
"DESCRIPTION"
Header "DESCRIPTION" The key derivation functions generate a derived key from either a secret or password.
"OPTIONS"
Header "OPTIONS"
"-help" 4
Item "-help" Print a usage message.
"-keylen num" 4
Item "-keylen num" The output size of the derived key. This field is required.
"-out filename" 4
Item "-out filename" Filename to output to, or standard output by default.
"-binary" 4
Item "-binary" Output the derived key in binary form. Uses hexadecimal text format if not specified.
"-cipher name" 4
Item "-cipher name" Specify the cipher to be used by the \s-1KDF.\s0 Not all KDFs require a cipher and it is an error to use this option in such cases.
"-digest name" 4
Item "-digest name" Specify the digest to be used by the \s-1KDF.\s0 Not all KDFs require a digest and it is an error to use this option in such cases. To see the list of supported digests, use \*(C`openssl list -digest-commands\*(C'.
"-mac name" 4
Item "-mac name" Specify the \s-1MAC\s0 to be used by the \s-1KDF.\s0 Not all KDFs require a \s-1MAC\s0 and it is an error to use this option in such cases.
"-kdfopt nm:v" 4
Item "-kdfopt nm:v" Passes options to the \s-1KDF\s0 algorithm. A comprehensive list of parameters can be found in the \s-1EVP_KDF_CTX\s0 implementation documentation. Common parameter names used by EVP_KDF_CTX_set_params() are:

"key:string" 4
Item "key:string" Specifies the secret key as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the \s-1KDF\s0 algorithm. A key must be specified for most \s-1KDF\s0 algorithms.
"hexkey:string" 4
Item "hexkey:string" Specifies the secret key in hexadecimal form (two hex digits per byte). The key length must conform to any restrictions of the \s-1KDF\s0 algorithm. A key must be specified for most \s-1KDF\s0 algorithms.
"pass:string" 4
Item "pass:string" Specifies the password as an alphanumeric string (use if the password contains printable characters only). The password must be specified for \s-1PBKDF2\s0 and scrypt.
"hexpass:string" 4
Item "hexpass:string" Specifies the password in hexadecimal form (two hex digits per byte). The password must be specified for \s-1PBKDF2\s0 and scrypt.
"digest:string" 4
Item "digest:string" This option is identical to the -digest option.
"cipher:string" 4
Item "cipher:string" This option is identical to the -cipher option.
"mac:string" 4
Item "mac:string" This option is identical to the -mac option.

"-provider name" 4
Item "-provider name"

0

"-provider-path path" 4
Item "-provider-path path"
"-propquery propq" 4
Item "-propquery propq"

See \*(L"Provider Options\*(R" in openssl\|(1), provider\|(7), and property\|(7).

"kdf_name" 4
Item "kdf_name" Specifies the name of a supported \s-1KDF\s0 algorithm which will be used. The supported algorithms names include \s-1TLS1-PRF, HKDF, SSKDF, PBKDF2, SSHKDF, X942KDF-ASN1, X942KDF-CONCAT, X963KDF\s0 and \s-1SCRYPT.\s0
"EXAMPLES"
Header "EXAMPLES" Use \s-1TLS1-PRF\s0 to create a hex-encoded derived key from a secret key and seed:

.Vb 2 openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:secret \e -kdfopt seed:seed TLS1-PRF .Ve

Use \s-1HKDF\s0 to create a hex-encoded derived key from a secret key, salt and info:

.Vb 2 openssl kdf -keylen 10 -kdfopt digest:SHA2-256 -kdfopt key:secret \e -kdfopt salt:salt -kdfopt info:label HKDF .Ve

Use \s-1SSKDF\s0 with \s-1KMAC\s0 to create a hex-encoded derived key from a secret key, salt and info:

.Vb 3 openssl kdf -keylen 64 -kdfopt mac:KMAC-128 -kdfopt maclen:20 \e -kdfopt hexkey:b74a149a161545 -kdfopt hexinfo:348a37a2 \e -kdfopt hexsalt:3638271ccd68a2 SSKDF .Ve

Use \s-1SSKDF\s0 with \s-1HMAC\s0 to create a hex-encoded derived key from a secret key, salt and info:

.Vb 3 openssl kdf -keylen 16 -kdfopt mac:HMAC -kdfopt digest:SHA2-256 \e -kdfopt hexkey:b74a149a -kdfopt hexinfo:348a37a2 \e -kdfopt hexsalt:3638271c SSKDF .Ve

Use \s-1SSKDF\s0 with Hash to create a hex-encoded derived key from a secret key, salt and info:

.Vb 3 openssl kdf -keylen 14 -kdfopt digest:SHA2-256 \e -kdfopt hexkey:6dbdc23f045488 \e -kdfopt hexinfo:a1b2c3d4 SSKDF .Ve

Use \s-1SSHKDF\s0 to create a hex-encoded derived key from a secret key, hash and session_id:

.Vb 5 openssl kdf -keylen 16 -kdfopt digest:SHA2-256 \e -kdfopt hexkey:0102030405 \e -kdfopt hexxcghash:06090A \e -kdfopt hexsession_id:01020304 \e -kdfopt type:A SSHKDF .Ve

Use \s-1PBKDF2\s0 to create a hex-encoded derived key from a password and salt:

.Vb 2 openssl kdf -keylen 32 -kdfopt digest:SHA256 -kdfopt pass:password \e -kdfopt salt:salt -kdfopt iter:2 PBKDF2 .Ve

Use scrypt to create a hex-encoded derived key from a password and salt:

.Vb 3 openssl kdf -keylen 64 -kdfopt pass:password -kdfopt salt:NaCl \e -kdfopt n:1024 -kdfopt r:8 -kdfopt p:16 \e -kdfopt maxmem_bytes:10485760 SCRYPT .Ve

"NOTES"
Header "NOTES" The \s-1KDF\s0 mechanisms that are available will depend on the options used when building OpenSSL.
"SEE ALSO"
Header "SEE ALSO" \fBopenssl\|(1), \fBopenssl-pkeyutl\|(1), \s-1EVP_KDF\s0\|(3), \s-1EVP_KDF-SCRYPT\s0\|(7), \s-1EVP_KDF-TLS1_PRF\s0\|(7), \s-1EVP_KDF-PBKDF2\s0\|(7), \s-1EVP_KDF-HKDF\s0\|(7), \s-1EVP_KDF-SS\s0\|(7), \s-1EVP_KDF-SSHKDF\s0\|(7), \s-1EVP_KDF-X942-ASN1\s0\|(7), \s-1EVP_KDF-X942-CONCAT\s0\|(7), \s-1EVP_KDF-X963\s0\|(7)
"HISTORY"
Header "HISTORY" Added in OpenSSL 3.0
"COPYRIGHT"
Header "COPYRIGHT" Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.