KeyDerivationAlgorithm
public enum KeyDerivationAlgorithm : Sendable
Defines the supported key derivation algorithms for deriving database encryption keys from user-provided secrets.
Choose the algorithm based on the entropy level of the secret:
- PBKDF2: For low-entropy secrets such as user passwords. It applies a configurable number of iterations to slow down brute-force attacks.
- HKDF: For high-entropy secrets such as random Keychain material. It is lightweight and does not need iteration counts.
Both algorithms produce a 256-bit AES key suitable for use with
DatabaseOptions.encryptionKey.
-
Derives a key using PBKDF2-HMAC-SHA256, appropriate for user-supplied passwords with limited entropy.
Declaration
Swift
case pbkdf2sha256(iterations: Int = 210_000)Parameters
iterationsThe number of PBKDF2 iterations. OWASP currently recommends at least 210,000 iterations for password hashing. Higher values increase security at the cost of derivation time.
-
Derives a key using HKDF-SHA256, appropriate for high-entropy secrets such as random data from the Secure Enclave or Keychain.
HKDF does not use iteration counts; it is a single-pass extract-and-expand construction.
Declaration
Swift
case hkdf
View on GitHub