@eryx/crypto/hazmat/argon2 Module

JSON

Argon2 password hashing.

Provides the three Argon2 variants:

Each variant is available in two forms:

The encoded form is the one you usually want to store in a database, since it embeds the variant and cost parameters. Use verify_encoded to check a password against one of those strings.

local argon2 = require("@eryx/crypto/hazmat/argon2")
local random = require("@eryx/crypto/hazmat/random")

local password = buffer.fromstring("hunter2")
local salt = random.bytes(16)

local encoded = argon2.argon2id_hash_encoded(password, salt, 3, 65536, 1, 32)
assert(argon2.verify_encoded(encoded, password))

Summary

Functions

argon2.argon2d_hash_raw(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)buffer
argon2.argon2i_hash_raw(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)buffer
argon2.argon2id_hash_raw(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)buffer
argon2.argon2d_hash_encoded(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)string
argon2.argon2i_hash_encoded(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)string
argon2.argon2id_hash_encoded(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)string
argon2.verify_encoded(encoded: string, password: buffer)boolean
argon2.encoded_len(time_cost: number, memory_kib: number, parallelism: number, salt_len: number, hash_len: number, variant: "argon2d" | "argon2i" | "argon2id")number

API Reference

Functions

argon2.argon2d_hash_raw

Hashes a password with Argon2d and returns the raw hash bytes.

Argon2d uses data-dependent memory access, making it a poor default for password hashing on shared hardware, but it can be useful for specialised proof-of-work or side-channel-free environments.

argon2.argon2d_hash_raw(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)buffer

Parameters

password: buffer

Password or secret to hash.

salt: buffer

Unique salt. Argon2 requires at least 8 bytes; 16+ bytes is a sensible default.

time_cost: number

Number of passes over memory.

memory_kib: number

Memory cost in KiB.

parallelism: number

Number of lanes/threads to request.

hash_len: number

Desired raw output length in bytes.

version: Version?

Argon2 version. Defaults to VERSION_NUMBER.

Returns

buffer

Raw hash output.

argon2.argon2i_hash_raw

Hashes a password with Argon2i and returns the raw hash bytes.

Argon2i uses data-independent memory access and is safer in the presence of timing/cache-observation attacks, but it is usually not the first choice now that Argon2id exists.

argon2.argon2i_hash_raw(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)buffer

Parameters

password: buffer

Password or secret to hash.

salt: buffer

Unique salt.

time_cost: number

Number of passes over memory.

memory_kib: number

Memory cost in KiB.

parallelism: number

Number of lanes/threads to request.

hash_len: number

Desired raw output length in bytes.

version: Version?

Argon2 version. Defaults to VERSION_NUMBER.

Returns

buffer

Raw hash output.

argon2.argon2id_hash_raw

Hashes a password with Argon2id and returns the raw hash bytes.

Argon2id is the recommended general-purpose Argon2 mode for password hashing.

argon2.argon2id_hash_raw(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)buffer

Parameters

password: buffer

Password or secret to hash.

salt: buffer

Unique salt.

time_cost: number

Number of passes over memory.

memory_kib: number

Memory cost in KiB.

parallelism: number

Number of lanes/threads to request.

hash_len: number

Desired raw output length in bytes.

version: Version?

Argon2 version. Defaults to VERSION_NUMBER.

Returns

buffer

Raw hash output.

argon2.argon2d_hash_encoded

Hashes a password with Argon2d and returns the PHC encoded string.

This is the storage-friendly string form containing the variant, version, cost parameters, salt, and hash.

argon2.argon2d_hash_encoded(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)string

Parameters

password: buffer

Password or secret to hash.

salt: buffer

Unique salt.

time_cost: number

Number of passes over memory.

memory_kib: number

Memory cost in KiB.

parallelism: number

Number of lanes/threads to request.

hash_len: number

Desired raw output length in bytes.

version: Version?

Argon2 version. Defaults to VERSION_NUMBER.

Returns

string

Encoded Argon2 hash string.

argon2.argon2i_hash_encoded

Hashes a password with Argon2i and returns the PHC encoded string.

argon2.argon2i_hash_encoded(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)string

Parameters

password: buffer

Password or secret to hash.

salt: buffer

Unique salt.

time_cost: number

Number of passes over memory.

memory_kib: number

Memory cost in KiB.

parallelism: number

Number of lanes/threads to request.

hash_len: number

Desired raw output length in bytes.

version: Version?

Argon2 version. Defaults to VERSION_NUMBER.

Returns

string

Encoded Argon2 hash string.

argon2.argon2id_hash_encoded

Hashes a password with Argon2id and returns the PHC encoded string.

This is the usual API you want for password storage.

argon2.argon2id_hash_encoded(password: buffer, salt: buffer, time_cost: number, memory_kib: number, parallelism: number, hash_len: number, version: Version?)string

Parameters

password: buffer

Password or secret to hash.

salt: buffer

Unique salt.

time_cost: number

Number of passes over memory.

memory_kib: number

Memory cost in KiB.

parallelism: number

Number of lanes/threads to request.

hash_len: number

Desired raw output length in bytes.

version: Version?

Argon2 version. Defaults to VERSION_NUMBER.

Returns

string

Encoded Argon2 hash string.

argon2.verify_encoded

Verifies a password against an encoded Argon2 hash string.

The variant is inferred from the encoded PHC prefix, so the same function works for Argon2d, Argon2i, and Argon2id encoded hashes.

argon2.verify_encoded(encoded: string, password: buffer)boolean

Parameters

encoded: string

Encoded PHC hash string.

password: buffer

Password to test.

Returns

boolean

true if the password matches.

argon2.encoded_len

Returns the maximum encoded string length for the given parameters.

This can be useful when pre-allocating storage or validating size limits before calling one of the *_hash_encoded functions.

argon2.encoded_len(time_cost: number, memory_kib: number, parallelism: number, salt_len: number, hash_len: number, variant: "argon2d" | "argon2i" | "argon2id")number

Parameters

time_cost: number

Number of passes over memory.

memory_kib: number

Memory cost in KiB.

parallelism: number

Number of lanes/threads.

salt_len: number

Salt length in bytes.

hash_len: number

Raw hash length in bytes.

variant: "argon2d" | "argon2i" | "argon2id"

One of "argon2d", "argon2i", or "argon2id".

Returns

number

Maximum encoded string length including the trailing NUL used by the underlying C API.

Types

Version
type Version = number
Implements: number

Constants