MariaDB starting with 11.3

KDF() is a key derivation function introduced in MariaDB 11.3.0.


KDF(key_str, salt [, {info | iterations} [, kdf_name [, width ]]])


KDF is a key derivation function, similar to OpenSSL's EVP_KDF_derive(). The purpose of a KDF is to be slow, so if the calculated value is lost/stolen, the original key_str is not achievable easily with modern GPU. KDFs are therefore an ideal replacement for password hashes. KDFs can also pad out a password secret to the number of bits used in encryption algorithms.

For generating good encryption keys for AES_ENCRYPT a less expensive function, but cryptographically secure function like RANDOM_BYTES is recommended..

  • kdf_name is "hkdf" or "pbkdf2_hmac" (default)
  • width (in bits) can be any number divisible by 8, by default it's taken from @@block_encryption_mode
  • iterations must be positive, and is 1000 by default

Note that OpenSSL 1.0 doesn't support HKDF, so in this case NULL is returned. This OpenSSL version is still used in SLES 12 and CentOS 7.


select hex(kdf('foo', 'bar', 'infa', 'hkdf')); 
| hex(kdf('foo', 'bar', 'infa', 'hkdf')) |
| 612875F859CFB4EE0DFEFF9F2A18E836       |


Comments loading...
Content reproduced on this site is the property of its respective owners, and this content is not reviewed in advance by MariaDB. The views, information and opinions expressed by this content do not necessarily represent those of MariaDB or any other party.