GeneratePBKDFKey

Last update:

May 18, 2026

Warning:

The function GeneratePBKDFKey may not work as expected with JDK 11.0.17. As a workaround, edit the java.security file located in ColdFusion/jre/<path_to_conf_folder>/security/ or \Program Files\Java\jdk-11\conf\security, and remove the string - SHA1 denyAfter 2019-01-01.

Restart ColdFusion after the changes.

Returns

A string that contains the encryption key.

History

ColdFusion (2025 release): Removed CFMX_COMPAT algorithm support. The default algorithm 'CFMX_COMPAT' has been changed to 'AES/CBC/PKCS5Padding'.
ColdFusion 11: Added this function to support PBKDF2 key derivation.

Function syntax

GeneratePBKDFKey(String algorithm, String string, String salt, int iterations, int keysize )

Parameters

Parameter	Description
algorithm	The encryption algorithm for which to generate the key. The following algorithms are available in both standard and enterprise versions: PBKDF2WithHmacSHA1 PBKDF2WithHmacSHA224 PBKDF2WithHmacSHA256 PBKDF2WithHmacSHA384 PBKDF2WithHmacSHA512 The following algorithms are available only in enterprise versions. Note: For the workaround at the beginning of the document, the following algorithms are supported. PBKDF2WithSHA1 PBKDF2WithSHA224 PBKDF2WithSHA256 PBKDF2WithSHA384 PBKDF2WithSHA512 PBKDF2WithSHA512-224 PBKDF2WithSHA512-256 ColdFusion Enterprise registers JSAFE as the default crypto provider. JSAFE provides the additional algorithms.
string	The string to be used for conversion.
salt	A random salt. The standard recommends a salt length of at least 64 bits (8 characters). The salt needs to be generated using a pseudo-random number generator (e.g SHA1PRNG).
iterations	The number of PBKDEF iterations to perform. The recommended value for iterations is 1000 or more.
keysize	The key size in number of bits.

Example

ENCRYPTION USING PBKDF2

<cfscript>

       salt="A41n9t0Q";

       password = "Password@123";

       PBKDFalgorithm = "PBKDF2WithSHA512-224";

       dataToEncrypt= "Lorem ipsum dolor sit amet, consectetur adipisicing elit, 

       sed do eiusmod tempor incididunt ut labore et dolore magna aliqua";

       encryptionAlgorithm = "AES";

       derivedKey = GeneratePBKDFKey(PBKDFalgorithm ,password ,salt,4096,128);

       writeOutput("Generated PBKDFKey (Base 64) : " & derivedKey);

       encryptedData = encrypt(dataToEncrypt, derivedKey, encryptionAlgorithm, "BASE64");

       writeoutput("Data After Encryption using PBKDF2: " & encryptedData); 

</cfscript>

Decryption using PBKDF2

<cfscript>

       salt="A41n9t0Q";

       password = "Password@123";

       PBKDFalgorithm = "PBKDF2WithSHA512-224";

       derivedKey = GeneratePBKDFKey(PBKDFalgorithm ,password ,salt,4096,128);

       decryptedData = decrypt(encryptedData, derivedKey, encryptionAlgorithm, "BASE64");

       writeoutput("Data After Decryption using PBKDF2: " & decryptedData); 

</cfscript>

Was this page helpful?

We're glad. Tell us how this page helped.

Found the answer to my problem Understood the instructions Liked the feature

Other suggestions

We're sorry. Can you tell us what didn't work for you?

Didn't find the answer to my problem Couldn't understand the instructions Didn't like the feature

Other suggestions

Thank you for your feedback. Your response will help improve this page.

Was this helpful?

We are sorry the content didn't meet your needs.

Share additional feedback to help us improve.

0/255 | Character limit exceeded.

Thank you so much for sharing your feedback!