fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Support Custom HMAC Key for PBKDF2-HMAC-SHA512

Open zoefarrell opened this issue 1 month ago • 0 comments

Support Custom HMAC Key for PBKDF2-HMAC-SHA512

Problem

FusionAuth supports salted-pbkdf2-hmac-sha512, but there’s no way to supply a custom HMAC key/pepper. Some organizations require full control over all secrets for compliance, migration parity, or internal security policies. Without this, FusionAuth can’t fully match certain existing hashing setups.

Solution

Add a configuration option to provide a custom HMAC key for PBKDF2-HMAC-SHA512 (tenant-level or global). If unset, current behavior remains unchanged.

Alternatives / Workarounds

  • Use a custom password hashing plugin, which works but adds maintenance and deployment overhead.
  • Switch to a different algorithm, which may break migration compatibility or policy requirements.

Community Guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to Vote

Give a thumbs up or thumbs down reaction to help prioritize this feature. Comments on use cases or expectations are welcome.

zoefarrell avatar Nov 19 '25 22:11 zoefarrell