Module kdf 

Argon2id and HKDF-SHA256 key derivation.

Argon2id derives 32 bytes of key material from a passphrase and a per-(member, project) salt. Production parameters match Bitwarden defaults: 64 MiB memory, 3 iterations, 4 lanes. Debug builds and the fast-kdf feature use weaker parameters for fast tests; never enable fast-kdf in release builds.

HKDF-SHA256 is exposed as derive_hkdf_sha256 for higher-level derivations such as the per-(human, AI) delegation seed.

Structs

DerivedKey

32-byte derived key material. Zeroed on drop.

Salt

Random 32-byte salt. Stored per-member in project.yaml as hex.

Functions

derive_argon2id

Derive 32 bytes of key material from a passphrase and salt using Argon2id.

derive_hkdf_sha256

HKDF-SHA256 in extract-and-expand form, returning 32 bytes.

generate_salt

Generate a random 32-byte salt.