PBKDF2 salt must be at least PBKDF2 MIN SALT LENGTH IN BYTES bytes long – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 8.7-8.9

Briefly, this error occurs when the salt length used in the PBKDF2 (Password-Based Key Derivation Function 2) hashing algorithm is less than the minimum required length. The salt is a random value that’s used to prevent pre-computed rainbow table attacks. To resolve this issue, you should ensure that the salt length is at least the minimum required length. You can do this by generating a longer random value for the salt or by adjusting your code to meet the minimum salt length requirement.

This guide will help you check for common problems that cause the log ” PBKDF2 salt must be at least [” + PBKDF2_MIN_SALT_LENGTH_IN_BYTES + ” bytes] long ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin, long.

Log Context

Log “PBKDF2 salt must be at least [” + PBKDF2_MIN_SALT_LENGTH_IN_BYTES + ” bytes] long” class name is Hasher.java. We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 "PBKDF2 key length must be positive and multiple of [" + HMAC_SHA512_BLOCK_SIZE_IN_BITS + " bits]"
 final byte[] saltBytes = Base64.getDecoder().decode(CharArrays.toUtf8Bytes(saltChars));
 if (saltBytes.length < PBKDF2_MIN_SALT_LENGTH_IN_BYTES) {
 throw new ElasticsearchException("PBKDF2 salt must be at least [" + PBKDF2_MIN_SALT_LENGTH_IN_BYTES + " bytes] long");
 char[] computedPwdHash = null;
 try {
 SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBKDF2withHMACSHA512");
 PBEKeySpec keySpec = new PBEKeySpec(data.getChars(); saltBytes; iterations; keyLength);


How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?