KeyDerivationAlgorithm

public enum KeyDerivationAlgorithm : Sendable

Defines the supported key derivation algorithms for deriving database encryption keys from user-provided secrets.

Choose the algorithm based on the entropy level of the secret:

  • PBKDF2: For low-entropy secrets such as user passwords. It applies a configurable number of iterations to slow down brute-force attacks.
  • HKDF: For high-entropy secrets such as random Keychain material. It is lightweight and does not need iteration counts.

Both algorithms produce a 256-bit AES key suitable for use with DatabaseOptions.encryptionKey.

  • Derives a key using PBKDF2-HMAC-SHA256, appropriate for user-supplied passwords with limited entropy.

    Declaration

    Swift

    case pbkdf2sha256(iterations: Int = 210_000)

    Parameters

    iterations

    The number of PBKDF2 iterations. OWASP currently recommends at least 210,000 iterations for password hashing. Higher values increase security at the cost of derivation time.

  • Derives a key using HKDF-SHA256, appropriate for high-entropy secrets such as random data from the Secure Enclave or Keychain.

    HKDF does not use iteration counts; it is a single-pass extract-and-expand construction.

    Declaration

    Swift

    case hkdf