This is a JVM binding for Argon2.

"Being a binding" means that it uses JNA to call a native C library. The advantage of this approach is that this uses the original implementation of the Argon2 authors and possibly a performance advantage. The drawback is that the native library must either be available on your system or must be included in argon2-jvm.

If you are using an OS or an architecture which is not that common (e.g. argon2-jvm has no support for BSD), this library will not work for you, if your system has no native installation of the Argon2 library.

Spring Security Crypto has a Argon2PasswordEncoder which doesn't have any dependencies on native C libraries, as it uses Bouncy Castle which implements the Argon2 algorithm in pure Java. And don't let the name "Spring Security Crypto" scare you, it has no dependency on Spring or Spring Security. If you don't need (for whatever reason) the native Argon2 library, I would suggest that you look at the Argon2PasswordEncoder from Spring Security Crypto.

I have prepared a small showcase project which demonstrates the use of Argon2 with Spring Security Crypto.

Without pre-compiled Argon2 libraries (recommended, install argon2 via your package manager):

<dependency>
    <groupId>de.mkammerer</groupId>
    <artifactId>argon2-jvm-nolibs</artifactId>
    <version>2.11</version>
</dependency>

With pre-compiled Argon2 libraries:

<dependency>
    <groupId>de.mkammerer</groupId>
    <artifactId>argon2-jvm</artifactId>
    <version>2.11</version>
</dependency>

Without pre-compiled Argon2 libraries (recommended, install argon2 via your package manager):

implementation 'de.mkammerer:argon2-jvm-nolibs:2.11'

With pre-compiled Argon2 libraries:

implementation 'de.mkammerer:argon2-jvm:2.11'

This binding needs a compiled Argon2 library. It is recommended to install argon2 via your package manager. If you can't do that, use argon2-jvm with the included argon2 binary libraries or compile argon2 yourself. The following operating systems and architectures are supported in argon2-jvm:

• Linux x86
• Linux x86-64
• Linux ARM
• Linux ARM-64
• Windows x86
• Windows x86-64
• Darwin (OSX)
• Darwin (OSX) M1

See tested distributions for details on which distributions this has been tested.

import de.mkammerer.argon2.Argon2;
import de.mkammerer.argon2.Argon2Factory;

// Create instance
Argon2 argon2 = Argon2Factory.create();

// Read password from user
char[] password = readPasswordFromUser();

try {
    // Hash password
    String hash = argon2.hash(10, 65536, 1, password);

    // Verify password
    if (argon2.verify(hash, password)) {
        // Hash matches password
    } else {
        // Hash doesn't match password
    }
} finally {
    // Wipe confidential data
    argon2.wipeArray(password);
}

The recommended parameters for the hash call above can be found in the whitepaper, section 9.

You can use the method Argon2Helper.findIterations to find the optimal number of iterations on your system:

Argon2 argon2 = Argon2Factory.create();
// 1000 = The hash call must take at most 1000 ms
// 65536 = Memory cost
// 1 = parallelism
int iterations = Argon2Helper.findIterations(argon2, 1000, 65536, 1);

System.out.println("Optimal number of iterations: " + iterations);

If you prefer to install/compile argon2 on your own you should argon2-jvm-nolibs instead of argon2-jvm and compile argon2 yourself. It's not that hard :)

If you need help to build argon2, have a look at this documentation.

This library uses JNA to communicate with the Argon2 C library.

Run ./gradlew clean build to build and test the software.

Licensed under LGPL v3.

Moritz Kammerer (@phXql)

See contributing guidelines.

See contributors page.