Key Derivation is the process of generating one or more cryptographic keys from a source of key material (such as a password or master key) using a key derivation function (KDF).
Key Derivation
Key Derivation is the process of generating one or more cryptographic keys from a source of key material (such as a password or master key) using a key derivation function (KDF).
Why It Matters
Raw passwords and shared secrets lack the entropy and format needed for direct use as encryption keys. Key derivation functions add computational cost (slowing brute force) and produce keys of the correct length and format for the target algorithm.
How It Works
A KDF takes input key material, a salt (unique per derivation), and parameters (iterations, memory cost). It produces a derived key of the desired length. Common KDFs include HKDF (for key expansion), PBKDF2 (for passwords), and Argon2 (for modern password hashing).
Best Practices
- Always use a unique salt per key derivation
- Choose parameters that make brute force infeasible
- Use HKDF for deriving multiple keys from a master key
- Use Argon2id or PBKDF2 for password-based key derivation
Common Mistakes
- Deriving keys without a salt
- Using SHA-256 directly as a KDF (lacks salt and iteration support)
- Setting iterations too low for the threat model
How ShieldKey Helps
ShieldKey uses proper key derivation for all cryptographic operations — Argon2id for password hashing and secure key management practices for the AES-256-GCM encryption keys protecting your API keys.
Try ShieldKey FreeFAQ
What is key derivation?
Key derivation transforms a password or master secret into a cryptographic key using a computationally expensive function. This slows down brute-force attacks and produces keys of the correct format.