Consider using Argon2 or scrypt instead of pbkdf2

[ph]

Followup on @dol comment on the keystore orignal PR

---

Consider replacing pbkdf2 with a never key derivation function like scrypt or even Argon2. Argon2 was very recently merged into golang.org/x/crypto/ .
Some resources about the topic:
https://www.linkedin.com/pulse/top-password-hashing-schemes-employ-today-chintan-jain-mba-cissp
https://download.libsodium.org/doc/password_hashing/
https://core.trac.wordpress.org/ticket/39499
https://gitlab.com/cryptsetup/cryptsetup/issues/119

[ph]

@joshbressers WDYT about this? the current Beats and Kibana implementations both uses pbkdf2 with the same iteration count.

[joshbressers]

They are technically better, yes. But there's nothing wrong with pbkdf2 the way we're using it today.

There is some work happening in the elasticsearch space around changing the keystore to support FIPS ciphers. I wouldn't commit to anything until we have a better understanding of what we want to support across the stack.

[ph]

@joshbressers Make sense, I will wait to make any changes then and do a major upgrade of the format when things stabilize.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This issue doesn't have a Team:<team> label.