gemstone_utils.key_mgmt.kdf

PBKDF2-HMAC-SHA256 KDF params and registration.

gemstone_utils.key_mgmt.kdf.pbkdf2.NAME = 'pbkdf2-hmac-sha256'

Registry id for persisted params["kdf"].

gemstone_utils.key_mgmt.kdf.pbkdf2.pbkdf2_params(salt, *, iterations=200000, length=32)[source]

Build PBKDF2 params with explicit salt and tuning.

Parameters:
  • salt (bytes) – Salt bytes (required).

  • iterations (int) – PBKDF2 iteration count.

  • length (int) – Derived key length in bytes.

Returns:

Params dict for derive_kek.

Raises:

TypeError – If salt is not bytes-like.

Return type:

Dict[str, Any]

gemstone_utils.key_mgmt.kdf.pbkdf2.recommended_pbkdf2_params(salt=None)[source]

Strong defaults for new PBKDF2-HMAC-SHA256 KDF rows.

Parameters:

salt (bytes | None) – Optional fixed salt; random 16-byte salt when omitted.

Returns:

Params dict using DEFAULT_PBKDF2_ITERATIONS_STRONG.

Return type:

Dict[str, Any]