{ "mode": "man", "parameter": "OPENSSL-KDF", "section": "1SSL", "url": "https://www.chedong.com/phpMan.php/man/OPENSSL-KDF/1SSL/json", "generated": "2026-06-10T16:09:34Z", "synopsis": "openssl kdf [-help] [-cipher] [-digest] [-mac] [-kdfopt nm:v] [-keylen num] [-out filename]\n[-binary] [-provider name] [-provider-path path] [-propquery propq] kdfname", "sections": { "NAME": { "content": "openssl-kdf - perform Key Derivation Function operations\n", "subsections": [] }, "SYNOPSIS": { "content": "openssl kdf [-help] [-cipher] [-digest] [-mac] [-kdfopt nm:v] [-keylen num] [-out filename]\n[-binary] [-provider name] [-provider-path path] [-propquery propq] kdfname\n", "subsections": [] }, "DESCRIPTION": { "content": "The key derivation functions generate a derived key from either a secret or password.\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "-help", "content": "Print a usage message.\n" }, { "name": "-keylen", "content": "The output size of the derived key. This field is required.\n" }, { "name": "-out", "content": "Filename to output to, or standard output by default.\n" }, { "name": "-binary", "content": "Output the derived key in binary form. Uses hexadecimal text format if not specified.\n" }, { "name": "-cipher", "content": "Specify the cipher to be used by the KDF. Not all KDFs require a cipher and it is an\nerror to use this option in such cases.\n" }, { "name": "-digest", "content": "Specify the digest to be used by the KDF. Not all KDFs require a digest and it is an\nerror to use this option in such cases. To see the list of supported digests, use\n\"openssl list -digest-commands\".\n" }, { "name": "-mac", "content": "Specify the MAC to be used by the KDF. Not all KDFs require a MAC and it is an error to\nuse this option in such cases.\n" }, { "name": "-kdfopt", "content": "Passes options to the KDF algorithm. A comprehensive list of parameters can be found in\nthe EVPKDFCTX implementation documentation. Common parameter names used by\nEVPKDFCTXsetparams() are:\n\nkey:string\nSpecifies the secret key as an alphanumeric string (use if the key contains printable\ncharacters only). The string length must conform to any restrictions of the KDF\nalgorithm. A key must be specified for most KDF algorithms.\n\nhexkey:string\nSpecifies the secret key in hexadecimal form (two hex digits per byte). The key\nlength must conform to any restrictions of the KDF algorithm. A key must be\nspecified for most KDF algorithms.\n\npass:string\nSpecifies the password as an alphanumeric string (use if the password contains\nprintable characters only). The password must be specified for PBKDF2 and scrypt.\n\nhexpass:string\nSpecifies the password in hexadecimal form (two hex digits per byte). The password\nmust be specified for PBKDF2 and scrypt.\n\ndigest:string\nThis option is identical to the -digest option.\n\ncipher:string\nThis option is identical to the -cipher option.\n\nmac:string\nThis option is identical to the -mac option.\n" }, { "name": "-provider", "content": "" }, { "name": "-provider-path", "content": "" }, { "name": "-propquery", "content": "See \"Provider Options\" in openssl(1), provider(7), and property(7).\n\nkdfname\nSpecifies the name of a supported KDF algorithm which will be used. The supported\nalgorithms names include TLS1-PRF, HKDF, SSKDF, PBKDF2, SSHKDF, X942KDF-ASN1,\nX942KDF-CONCAT, X963KDF and SCRYPT.\n" } ] }, "EXAMPLES": { "content": "Use TLS1-PRF to create a hex-encoded derived key from a secret key and seed:\n\nopenssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:secret \\\n-kdfopt seed:seed TLS1-PRF\n\nUse HKDF to create a hex-encoded derived key from a secret key, salt and info:\n\nopenssl kdf -keylen 10 -kdfopt digest:SHA2-256 -kdfopt key:secret \\\n-kdfopt salt:salt -kdfopt info:label HKDF\n\nUse SSKDF with KMAC to create a hex-encoded derived key from a secret key, salt and info:\n\nopenssl kdf -keylen 64 -kdfopt mac:KMAC-128 -kdfopt maclen:20 \\\n-kdfopt hexkey:b74a149a161545 -kdfopt hexinfo:348a37a2 \\\n-kdfopt hexsalt:3638271ccd68a2 SSKDF\n\nUse SSKDF with HMAC to create a hex-encoded derived key from a secret key, salt and info:\n\nopenssl kdf -keylen 16 -kdfopt mac:HMAC -kdfopt digest:SHA2-256 \\\n-kdfopt hexkey:b74a149a -kdfopt hexinfo:348a37a2 \\\n-kdfopt hexsalt:3638271c SSKDF\n\nUse SSKDF with Hash to create a hex-encoded derived key from a secret key, salt and info:\n\nopenssl kdf -keylen 14 -kdfopt digest:SHA2-256 \\\n-kdfopt hexkey:6dbdc23f045488 \\\n-kdfopt hexinfo:a1b2c3d4 SSKDF\n\nUse SSHKDF to create a hex-encoded derived key from a secret key, hash and sessionid:\n\nopenssl kdf -keylen 16 -kdfopt digest:SHA2-256 \\\n-kdfopt hexkey:0102030405 \\\n-kdfopt hexxcghash:06090A \\\n-kdfopt hexsessionid:01020304 \\\n-kdfopt type:A SSHKDF\n\nUse PBKDF2 to create a hex-encoded derived key from a password and salt:\n\nopenssl kdf -keylen 32 -kdfopt digest:SHA256 -kdfopt pass:password \\\n-kdfopt salt:salt -kdfopt iter:2 PBKDF2\n\nUse scrypt to create a hex-encoded derived key from a password and salt:\n\nopenssl kdf -keylen 64 -kdfopt pass:password -kdfopt salt:NaCl \\\n-kdfopt n:1024 -kdfopt r:8 -kdfopt p:16 \\\n-kdfopt maxmembytes:10485760 SCRYPT\n", "subsections": [] }, "NOTES": { "content": "The KDF mechanisms that are available will depend on the options used when building OpenSSL.\n", "subsections": [] }, "SEE ALSO": { "content": "openssl(1), openssl-pkeyutl(1), EVPKDF(3), EVPKDF-SCRYPT(7), EVPKDF-TLS1PRF(7),\nEVPKDF-PBKDF2(7), EVPKDF-HKDF(7), EVPKDF-SS(7), EVPKDF-SSHKDF(7), EVPKDF-X942-ASN1(7),\nEVPKDF-X942-CONCAT(7), EVPKDF-X963(7)\n", "subsections": [] }, "HISTORY": { "content": "Added in OpenSSL 3.0\n", "subsections": [] }, "COPYRIGHT": { "content": "Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\"). You may not use this file except in\ncompliance with the License. You can obtain a copy in the file LICENSE in the source\ndistribution or at .\n\n\n\n3.0.2 2026-04-07 OPENSSL-KDF(1SSL)", "subsections": [] } }, "summary": "openssl-kdf - perform Key Derivation Function operations", "flags": [ { "flag": "", "long": null, "arg": null, "description": "Print a usage message." }, { "flag": "", "long": null, "arg": null, "description": "The output size of the derived key. This field is required." }, { "flag": "", "long": null, "arg": null, "description": "Filename to output to, or standard output by default." }, { "flag": "", "long": null, "arg": null, "description": "Output the derived key in binary form. Uses hexadecimal text format if not specified." }, { "flag": "", "long": null, "arg": null, "description": "Specify the cipher to be used by the KDF. Not all KDFs require a cipher and it is an error to use this option in such cases." }, { "flag": "", "long": null, "arg": null, "description": "Specify the digest to be used by the KDF. Not all KDFs require a digest and it is an error to use this option in such cases. To see the list of supported digests, use \"openssl list -digest-commands\"." }, { "flag": "", "long": null, "arg": null, "description": "Specify the MAC to be used by the KDF. Not all KDFs require a MAC and it is an error to use this option in such cases." }, { "flag": "", "long": null, "arg": null, "description": "Passes options to the KDF algorithm. A comprehensive list of parameters can be found in the EVPKDFCTX implementation documentation. Common parameter names used by EVPKDFCTXsetparams() are: key:string Specifies the secret key as an alphanumeric string (use if the key contains printable characters only). The string length must conform to any restrictions of the KDF algorithm. A key must be specified for most KDF algorithms. hexkey:string Specifies the secret key in hexadecimal form (two hex digits per byte). The key length must conform to any restrictions of the KDF algorithm. A key must be specified for most KDF algorithms. pass:string Specifies the password as an alphanumeric string (use if the password contains printable characters only). The password must be specified for PBKDF2 and scrypt. hexpass:string Specifies the password in hexadecimal form (two hex digits per byte). The password must be specified for PBKDF2 and scrypt. digest:string This option is identical to the -digest option. cipher:string This option is identical to the -cipher option. mac:string This option is identical to the -mac option." }, { "flag": "", "long": null, "arg": null, "description": "" }, { "flag": "", "long": null, "arg": null, "description": "" }, { "flag": "", "long": null, "arg": null, "description": "See \"Provider Options\" in openssl(1), provider(7), and property(7). kdfname Specifies the name of a supported KDF algorithm which will be used. The supported algorithms names include TLS1-PRF, HKDF, SSKDF, PBKDF2, SSHKDF, X942KDF-ASN1, X942KDF-CONCAT, X963KDF and SCRYPT." } ], "examples": [ "Use TLS1-PRF to create a hex-encoded derived key from a secret key and seed:", "openssl kdf -keylen 16 -kdfopt digest:SHA2-256 -kdfopt key:secret \\", "-kdfopt seed:seed TLS1-PRF", "Use HKDF to create a hex-encoded derived key from a secret key, salt and info:", "openssl kdf -keylen 10 -kdfopt digest:SHA2-256 -kdfopt key:secret \\", "-kdfopt salt:salt -kdfopt info:label HKDF", "Use SSKDF with KMAC to create a hex-encoded derived key from a secret key, salt and info:", "openssl kdf -keylen 64 -kdfopt mac:KMAC-128 -kdfopt maclen:20 \\", "-kdfopt hexkey:b74a149a161545 -kdfopt hexinfo:348a37a2 \\", "-kdfopt hexsalt:3638271ccd68a2 SSKDF", "Use SSKDF with HMAC to create a hex-encoded derived key from a secret key, salt and info:", "openssl kdf -keylen 16 -kdfopt mac:HMAC -kdfopt digest:SHA2-256 \\", "-kdfopt hexkey:b74a149a -kdfopt hexinfo:348a37a2 \\", "-kdfopt hexsalt:3638271c SSKDF", "Use SSKDF with Hash to create a hex-encoded derived key from a secret key, salt and info:", "openssl kdf -keylen 14 -kdfopt digest:SHA2-256 \\", "-kdfopt hexkey:6dbdc23f045488 \\", "-kdfopt hexinfo:a1b2c3d4 SSKDF", "Use SSHKDF to create a hex-encoded derived key from a secret key, hash and sessionid:", "openssl kdf -keylen 16 -kdfopt digest:SHA2-256 \\", "-kdfopt hexkey:0102030405 \\", "-kdfopt hexxcghash:06090A \\", "-kdfopt hexsessionid:01020304 \\", "-kdfopt type:A SSHKDF", "Use PBKDF2 to create a hex-encoded derived key from a password and salt:", "openssl kdf -keylen 32 -kdfopt digest:SHA256 -kdfopt pass:password \\", "-kdfopt salt:salt -kdfopt iter:2 PBKDF2", "Use scrypt to create a hex-encoded derived key from a password and salt:", "openssl kdf -keylen 64 -kdfopt pass:password -kdfopt salt:NaCl \\", "-kdfopt n:1024 -kdfopt r:8 -kdfopt p:16 \\", "-kdfopt maxmembytes:10485760 SCRYPT" ], "see_also": [ { "name": "openssl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/openssl/1/json" }, { "name": "openssl-pkeyutl", "section": "1", "url": "https://www.chedong.com/phpMan.php/man/openssl-pkeyutl/1/json" }, { "name": "EVPKDF", "section": "3", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF/3/json" }, { "name": "EVPKDF-SCRYPT", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF-SCRYPT/7/json" }, { "name": "EVPKDF-TLS1PRF", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF-TLS1PRF/7/json" }, { "name": "EVPKDF-PBKDF2", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF-PBKDF2/7/json" }, { "name": "EVPKDF-HKDF", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF-HKDF/7/json" }, { "name": "EVPKDF-SS", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF-SS/7/json" }, { "name": "EVPKDF-SSHKDF", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF-SSHKDF/7/json" }, { "name": "EVPKDF-X942-ASN1", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF-X942-ASN1/7/json" }, { "name": "EVPKDF-X942-CONCAT", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF-X942-CONCAT/7/json" }, { "name": "EVPKDF-X963", "section": "7", "url": "https://www.chedong.com/phpMan.php/man/EVPKDF-X963/7/json" } ] }