crypto.scrypt() Method in Node.js

The crypto.scrypt() method provides an asynchronous implementation of the scrypt password-based key derivation function. Scrypt is designed to be computationally expensive and memory-intensive, making it resistant to brute-force attacks by requiring significant resources to compute.

Syntax

crypto.scrypt(password, salt, keylen, [options], callback)

Parameters

The parameters are described below:

• password - The password to derive a key from. Can be a string, Buffer, TypedArray, or DataView.

• salt - A unique value used in the key derivation process. Should be at least 16 bytes long for security.

• keylen - The desired length of the derived key in bytes (must be a number).

• options - Optional configuration object:

  • cost (or N) - CPU/memory cost parameter. Must be a power of 2 greater than 1. Default: 16384.

  • blockSize (or r) - Block size parameter. Default: 8.

  • parallelization (or p) - Parallelization parameter. Default: 1.

  • maxmem - Memory upper bound. Default: 32 * 1024 * 1024 bytes.

• callback - Function called with (err, derivedKey) when operation completes.

Basic Example

const crypto = require('crypto');

// Basic scrypt usage
crypto.scrypt('tutorialspoint', 'salt123456789', 32, (err, derivedKey) => {
    if (err) throw err;
    
    console.log('Derived key (Buffer):', derivedKey);
    console.log('Derived key (hex):', derivedKey.toString('hex'));
});

Derived key (Buffer): <Buffer ae 50 38 61 17 f7 11 51 e4 50 63 3c 2a 9c ec f0 46 42 a6 ca 04 78 67 05 c8 8c 0c 69 00 c3 03 7f>
Derived key (hex): ae503861f7f71151e450633c2a9cecf04642a6ca04786705c88c0c6900c3037f

Example with Custom Options

const crypto = require('crypto');

// Using custom cost parameter
crypto.scrypt('mypassword', 'randomsalt', 64, { N: 1024 }, (err, derivedKey) => {
    if (err) throw err;
    
    console.log('Key length:', derivedKey.length, 'bytes');
    console.log('Base64 encoded:', derivedKey.toString('base64'));
});

Key length: 64 bytes
Base64 encoded: 2vX8J9mK4eP7wF3nR5tQ8xA9mL6uY1zS4cV7bN8hE2fG5dR3kJ7mP9qT1wX6yU4oL8nM2sA5vB9cE7fH3jK6mP

Example with TypedArray Salt

const crypto = require('crypto');

// Using Uint8Array as salt
const salt = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16]);

crypto.scrypt('secure-password', salt, 24, (err, derivedKey) => {
    if (err) throw err;
    
    console.log('Salt type:', salt.constructor.name);
    console.log('Derived key:', derivedKey.toString('hex'));
});

Salt type: Uint8Array
Derived key: a1b2c3d4e5f6789012345678901234567890abcd

Key Points

• Scrypt is intentionally slow and memory-intensive for security

• Higher cost values increase security but require more resources

• Salt should be unique for each password to prevent rainbow table attacks

• The derived key is returned as a Buffer object

Conclusion

The crypto.scrypt() method is essential for secure password hashing and key derivation. Its computational cost makes it highly resistant to brute-force attacks, making it ideal for protecting sensitive authentication data.