step crypto kdf hash -- derive a secret key from a secret value (e.g., a password)
step crypto kdf hash [<input>]
step crypto kdf hash uses a key derivation function (KDF) to produce a
pseudorandom secret key based on some (presumably secret) input value. This is
useful for password verification approaches based on password hashing. Key
derivation functions are designed to be computationally intensive, making it
more difficult for attackers to perform brute-force attacks on password
If this command is run without the optional
input argument and STDIN is a TTY
(i.e., you're running the command in an interactive terminal and not piping
input to it) you'll be prompted to enter a value on STDERR. If STDIN is not a
TTY it will be read without prompting.
This command will produce a string encoding of the KDF output along with the
algorithm used, salt, and any parameters required for validation in PHC string
The KDFs are run with parameters that are considered safe. The 'scrypt'
parameters are currently fixed at N=32768, r=8 and p=1. The 'bcrypt' work
factor is currently fixed at 10.
For examples, see step help crypto kdf.
The input to the key derivation function.
input is optional and its use is
not recommended. If this argument is provided the --insecure flag must also
be provided because your (presumably secret)
input will likely be logged and
appear in places you might not expect. If omitted input is read from STDIN.
The KDF algorithm to use.
algorithm must be one of:
scrypt: A password-based KDF designed to use exponential time and memory.
bcrypt: A password-based KDF designed to use exponential time.
argon2i: A password-based KDF optimized to resist side-channel attacks.
argon2id: A password-based KDF optimized to resist GPU and side-channel attacks.