nettle-pbkdf2(1) Command-line password-based key derivation tool.


nettle-pbkdf2 [OPTIONS] SALT


This manual page documents briefly the nettle-pbkdf2 command. This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page.

nettle-pbkdf2 is a front-end for Nettle's PBKDF2 (Password-Based Key Derivation Function 2) implementation. PBKDF2 applies a pseudo-random function to a passphrase together with a salt, producing a derived key of arbitrary length. By iterating the process many times, feeding the output of each round as the input of the next, brute-force cracking of the password is made to take correspondingly longer time. The use of a salt makes it harder to use dictionaries or rainbow tables. As computers become more powerful, the number of iterations can be increased without changing the rest of the algorithm.

The pseudo-random function used by this tool is currently HMAC-SHA256.

The password is read from standard input and the resulting derived key is written to standard output in groups of 16 hexadecimal digits, unless the --raw option is used. The salt and number of iterations are not included in the output.


This program follows the usual GNU command line syntax, with long options starting with two dashes (`-'). A summary of options is included below.
-l, --length=length
Desired output length in octets.
Output derived key in raw binary format.
Specifies that SALT is provided in hexadecimal format.
Show summary of options.
-V, --version
Show version of program.


This manual page was originally written by Magnus Holmgren <[email protected]>, for the Debian GNU/Linux system (but may be used by others).