derive-key derives <key> (which can be created with optional
"define") from string <source> in
"from" clause. <key> is
allocated memory. If <source length> in
"from-length" clause is specified, exactly <source length> bytes of <source> are used, regardless of null characters. Otherwise, the length of a null-terminated <source> string is used as the number of bytes.
The length of derived key is given by <length> in
"length" clause. The method for key generation is PBKDF2. By default the digest used is
"SHA256". You can use a different <digest algorithm> in
"digest" clause (for example
"SHA3-256"). To see a list of available digests:
openssl list -digest-algorithms
The optional salt for key derivation can be given with <salt> in
"salt" clause. If
"salt-length" clause is not used, then the salt is null-terminated, otherwise its length is <salt length>.
The number of iterations is given by <iterations> in
"iterations" clause. The default is 1000 per
RFC 8018, though depending on your needs and the quality of <source> you may choose a different value.
By default, the derived key is produced as a null-terminated string in a hexadecimal form, where each byte is encoded as two-character hexadecimal characters, so its length is 2*<length>. If
"binary" clause is used, the output is a binary string that may have null characters, which is of <length> bytes, and a null character is placed after it.
Key derivation is often used when storing password-derivatives in the database (with salt), and also for symmetrical key generation.
