PGP Tool

Learn · 7 min read · 2026-02-02

Argon2id vs PBKDF2: which key derivation function should you use?

Both stretch a password into an encryption key, but they cost attackers very different amounts of money. Argon2id is the modern default; PBKDF2 is the compatible fallback.

When you encrypt something with a passphrase, the passphrase itself is too short and too predictable to use as an AES key directly. A key derivation function (KDF) takes the passphrase and stretches it — running thousands or millions of small operations to turn it into a 256-bit key, while making brute force expensive for an attacker.

PBKDF2 — the old reliable

PBKDF2 (Password-Based Key Derivation Function 2) was standardised in 2000 and is still everywhere — TLS, FileVault, OpenPGP, your phone's disk encryption. It iterates HMAC-SHA-256 a configurable number of times. More iterations means slower derivation, which means more cost for an attacker testing each guess.

PBKDF2 has one big weakness: it is cheap on specialised hardware. A GPU or an ASIC can run thousands of PBKDF2 iterations in parallel for the cost of running one on a CPU. So an attacker with a small GPU farm can grind through guesses orders of magnitude faster than the legitimate user can verify a single one.

Argon2id — the modern default

Argon2 won the 2015 Password Hashing Competition with a deliberate design choice: be memory-hard. Each iteration requires a large block of RAM, and parallel attackers cannot share memory across guesses. So a GPU with 4 GB of memory can run 4 attacks simultaneously instead of 4000 — the cost ratio shifts back toward the defender.

Argon2id is the recommended variant — it combines Argon2i (data-independent, resistant to side-channel attacks) and Argon2d (data-dependent, faster) for the best of both worlds. It is the default in libsodium, Bitwarden, 1Password, and the OpenPGP standard from 2024 onward.

When to use which

  • Use Argon2id for any new encryption. The library cost is small (~250 KB WASM) and the security gain is real.
  • Use PBKDF2 when you need maximum compatibility — older PGP clients, archival tools, embedded devices.
  • This app uses Argon2id for new symmetric encryptions and falls back to PBKDF2 when decrypting legacy ciphertexts (a "magic prefix" envelope identifies which one was used).

Practical numbers

On a modern laptop, Argon2id with default parameters (m=65536 KiB, t=3, p=1) takes about 200 ms. A high-end GPU running PBKDF2-SHA256 at 200,000 iterations gets about 50 million guesses per second. The same GPU running Argon2id with 64 MB memory cost gets about 100 guesses per second. That is a six-order-of-magnitude advantage for the defender.