CFML implementation of Password-Based Key-Derivation Function (PBKDF)

generatePBKDFKey(algorithm, passphrase, salt, iterations, keySize); → returns string

generatePBKDFKey Argument Reference

algorithm string

Hashing algorithm used for generating key
  • PBKDF2WithHmacSHA1
  • PBKDF2WithSHA1
  • PBKDF2WithSHA224
  • PBKDF2WithSHA256
  • PBKDF2WithSHA384
  • PBKDF2WithSHA512

passphrase string

Passphrase used for the key. KEEP THIS SECRET.

salt string

A string which will be added to the passphrase before encryption.
The standard recommends a salt length of at least 64 bits (8 characters). The salt needs to be generated using a pseudo-random number generator (e.g SHA1PRNG)

iterations numeric

The number of PBKDEF iterations to perform. A minimum recommended value is 1000

keySize numeric

The length in bytes of the key to generate
  • true
  • false



Version 11+ Adobe ColdFusion Enterprise includes a java crypto provider that implements these algorithms. These algorithms are available only in enterprise versions: PBKDF2WithSHA1 PBKDF2WithSHA224 PBKDF2WithSHA256 PBKDF2WithSHA384 PBKDF2WithSHA512 PBKDF2WithSHA512-224 PBKDF2WithSHA512-256


Version 5+ For Lucee it is up to the provider that you have installed, if using the default java crypto provider it only supports "PBKDF2WithHmacSHA1" on Java 1.7 for example. If you are using Java 8 it supports more algorithms. iterations and keySize parameters are optional in Lucee.

Links more information about generatePBKDFKey

Examples sample code invoking the generatePBKDFKey function

Example PBKDF2 With HMAC SHA1

generatePBKDFKey("PBKDF2WithHmacSHA1", "secret", "salty", 5000, 128)

Expected Result: Y0MCpCe3zb0CNJvyXNUWEQ==

More complex encryption example

// some variables
password = "top_secret";
dataToEncrypt= "the most closely guarded secret";
encryptionAlgorithm = "AES";
keysize = 128;
algorithmVersion = 512;
PBKDFalgorithm = 'PBKDF2WithHmacSHA' & algorithmVersion;
// Generate key as recommended in docs
length = keysize / 8;
multiplicator = 10 ^ length;
salt = Round(Randomize(5,'SHA1PRNG') * multiplicator);
// The magic happens here
PBKDFKey = GeneratePBKDFKey(PBKDFalgorithm, password, salt, algorithmVersion, keysize);
encryptedData = encrypt(dataToEncrypt, PBKDFKey, encryptionAlgorithm, "BASE64"); 
decryptedData = decrypt(encryptedData, PBKDFKey, encryptionAlgorithm, "BASE64");
writeOutput("<b>Generated PBKDFKey (Base 64)</b>: " & PBKDFKey);
writeOutput("<br /><b>Data After Encryption</b>: " & encryptedData);
writeOutput("<br /><b>Data After Decryption</b>: " & decryptedData); 

Fork me on GitHub