CFML implementation of Password-Based Key-Derivation Function (PBKDF)

generatePBKDFKey(algorithm, passphrase, salt, iterations, keySize); → returns string

Argument Reference

algorithm string

Hashing algorithm used for generating key
  • PBKDF2WithHmacSHA1
  • PBKDF2WithSHA1
  • PBKDF2WithSHA224
  • PBKDF2WithSHA256
  • PBKDF2WithSHA384
  • PBKDF2WithSHA512
  • PBKDF2WithHmacSHA256
  • PBKDF2WithHmacSHA384
  • PBKDF2WithHmacSHA512

passphrase string

Passphrase used for the key. KEEP THIS SECRET.

salt string

A string which will be added to the passphrase before encryption.
The standard recommends a salt length of at least 64 bits (8 characters). The salt needs to be generated using a pseudo-random number generator (e.g. SHA1PRNG)

iterations numeric

The number of PBKDEF iterations to perform. A minimum recommended value is 1000

keySize numeric

The length in bits of the key to generate



Version 11+ Adobe ColdFusion Enterprise includes a java crypto provider that implements these algorithms. These algorithms are available only in enterprise versions: PBKDF2WithSHA1 PBKDF2WithSHA224 PBKDF2WithSHA256 PBKDF2WithSHA384 PBKDF2WithSHA512 PBKDF2WithSHA512-224 PBKDF2WithSHA512-256


Version 5+ For Lucee it is up to the provider that you have installed, if using the default java crypto provider it only supports "PBKDF2WithHmacSHA1" on Java 1.7 for example. If you are using Java 8 it supports more algorithms (such as PBKDF2WithHmacSHA512) . iterations and keySize parameters are optional in Lucee.

Links more information about generatePBKDFKey

Sample code invoking the generatePBKDFKey function

The PBKDF2WithHmacSHA1 algorithm will work on older JVMs, or older versions of CF

generatePBKDFKey("PBKDF2WithHmacSHA1", "secret", "salty", 5000, 128)

Expected Result: Y0MCpCe3zb0CNJvyXNUWEQ==

// some variables
password = "top_secret";
dataToEncrypt= "the most closely guarded secret";
encryptionAlgorithm = "AES";
keysize = 128;
algorithmVersion = 512;
PBKDFalgorithm = 'PBKDF2WithHmacSHA' & algorithmVersion;
// Generate key as recommended in docs
length = keysize / 8;
multiplicator = 10 ^ length;
salt = Round(Randomize(5,'SHA1PRNG') * multiplicator);
// The magic happens here
PBKDFKey = GeneratePBKDFKey(PBKDFalgorithm, password, salt, algorithmVersion, keysize);
encryptedData = encrypt(dataToEncrypt, PBKDFKey, encryptionAlgorithm, "BASE64"); 
decryptedData = decrypt(encryptedData, PBKDFKey, encryptionAlgorithm, "BASE64");
writeOutput("<b>Generated PBKDFKey (Base 64)</b>: " & PBKDFKey);
writeOutput("<br /><b>Data After Encryption</b>: " & encryptedData);
writeOutput("<br /><b>Data After Decryption</b>: " & decryptedData); 

Signup for cfbreak to stay updated on the latest news from the ColdFusion / CFML community. One email, every friday.

Fork me on GitHub