Feature: Configurable default KDF type for new user registrations #43

New Issue

MrUnknownDE · 2026-04-05T20:29:03+02:00

MrUnknownDE commented

2026-04-05 20:29:03 +02:00

Originally created by @dnplkndll on 3/21/2026

Summary

Allow server administrators to configure the default KDF type (PBKDF2 or Argon2id) for new user registrations via environment variables, rather than having PBKDF2 hardcoded as the only default.

Motivation

The default KDF for new user registrations is hardcoded in src/db/models/user.rs:

pub const CLIENT_KDF_TYPE_DEFAULT: i32 = UserKdfType::Pbkdf2 as i32;
pub const CLIENT_KDF_ITER_DEFAULT: i32 = 600_000;

Argon2id is widely considered superior to PBKDF2 for password hashing because it is memory-hard, making it significantly more resistant to GPU-based brute-force attacks. Vaultwarden already fully supports Argon2id — users can switch to it in their account settings — but the server default remains PBKDF2.

For self-hosted instances (especially family or small-team deployments), most users will never change their KDF settings. Allowing the server admin to set Argon2id as the default ensures all new accounts start with the stronger KDF without requiring each user to manually change it.

Proposed Solution

Add four environment variables:

Variable	Type	Default	Description
`CLIENT_KDF_TYPE`	`i32`	`0`	Default KDF: 0 = PBKDF2, 1 = Argon2id
`CLIENT_KDF_ITERATIONS`	`i32`	`600000`	Iterations (auto-adjusts to 3 for Argon2id)
`CLIENT_KDF_MEMORY`	`i32`	`64`	Argon2id memory in MB (15-1024)
`CLIENT_KDF_PARALLELISM`	`i32`	`4`	Argon2id parallelism (1-16)

Backwards compatible: Default values produce identical behavior to the current hardcoded constants. Existing users are not affected.

Example usage

CLIENT_KDF_TYPE=1
# Optional — sensible defaults are applied automatically:
# CLIENT_KDF_ITERATIONS=3
# CLIENT_KDF_MEMORY=64
# CLIENT_KDF_PARALLELISM=4

Files changed (~81 lines across 4 files)

src/config.rs — Config entries with validation
src/db/models/user.rs — Replace hardcoded constants with config-backed functions
src/api/core/accounts.rs — Use config for prelogin defaults (unknown email case)
.env.template — Document new variables

Implementation

I have a working, tested implementation and am happy to submit a PR if this is of interest.

*Originally created by @dnplkndll on 3/21/2026* ## Summary Allow server administrators to configure the default KDF type (PBKDF2 or Argon2id) for new user registrations via environment variables, rather than having PBKDF2 hardcoded as the only default. ## Motivation The default KDF for new user registrations is hardcoded in `src/db/models/user.rs`: ```rust pub const CLIENT_KDF_TYPE_DEFAULT: i32 = UserKdfType::Pbkdf2 as i32; pub const CLIENT_KDF_ITER_DEFAULT: i32 = 600_000; ``` Argon2id is widely considered superior to PBKDF2 for password hashing because it is memory-hard, making it significantly more resistant to GPU-based brute-force attacks. Vaultwarden already fully supports Argon2id — users can switch to it in their account settings — but the server default remains PBKDF2. For self-hosted instances (especially family or small-team deployments), most users will never change their KDF settings. Allowing the server admin to set Argon2id as the default ensures all new accounts start with the stronger KDF without requiring each user to manually change it. ## Proposed Solution Add four environment variables: | Variable | Type | Default | Description | |----------|------|---------|-------------| | `CLIENT_KDF_TYPE` | `i32` | `0` | Default KDF: 0 = PBKDF2, 1 = Argon2id | | `CLIENT_KDF_ITERATIONS` | `i32` | `600000` | Iterations (auto-adjusts to 3 for Argon2id) | | `CLIENT_KDF_MEMORY` | `i32` | `64` | Argon2id memory in MB (15-1024) | | `CLIENT_KDF_PARALLELISM` | `i32` | `4` | Argon2id parallelism (1-16) | **Backwards compatible**: Default values produce identical behavior to the current hardcoded constants. Existing users are not affected. ### Example usage ```env CLIENT_KDF_TYPE=1 # Optional — sensible defaults are applied automatically: # CLIENT_KDF_ITERATIONS=3 # CLIENT_KDF_MEMORY=64 # CLIENT_KDF_PARALLELISM=4 ``` ### Files changed (~81 lines across 4 files) - `src/config.rs` — Config entries with validation - `src/db/models/user.rs` — Replace hardcoded constants with config-backed functions - `src/api/core/accounts.rs` — Use config for prelogin defaults (unknown email case) - `.env.template` — Document new variables ## Implementation I have a working, tested implementation and am happy to submit a PR if this is of interest.

MrUnknownDE closed this issue

2026-04-05 20:29:03 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#43