Skip to content

scrypt: LuaJIT FFI-based scrypt library for nginx-module-lua


If you haven't set up RPM repository subscription, sign up. Then you can proceed with the following steps.

CentOS/RHEL 7 or Amazon Linux 2

yum -y install
yum -y install lua-resty-scrypt

CentOS/RHEL 8+, Fedora Linux, Amazon Linux 2023

yum -y install
yum -y install lua5.1-resty-scrypt

To use this Lua library with NGINX, ensure that nginx-module-lua is installed.

This document describes lua-resty-scrypt v1.0 released on Oct 09 2014.

lua-resty-scrypt is a scrypt (password) hashing library for OpenResty.

Hello World with lua-resty-scrypt

local scrypt = require "resty.scrypt"
local hash   = scrypt.crypt "My Secret"         -- returns a hash that can be stored in db
local valid  = scrypt.check("My Secret", hash)  -- valid holds true
local valid  = scrypt.check("My Guess",  hash)  -- valid holds false

local n,r,p  = scrypt.calibrate()               -- returns n,r,p calibration values


string scrypt.crypt(opts)

Uses scrypt algorithm to generate hash from the input. Input parameter opts can either be string (a secret) or a table. If it is a table you may pass in some configuration parameters as well. Available table options (defaults are as follows):

local opts = {
    secret   = "",
    keysize  = 32,
    n        = 32768
    r        = 8,
    p        = 1,
    salt     = "random (saltsize) bytes generated with OpenSSL",
    saltsize = 8

If you pass opts anything other than a table, it will be tostringified and used as a secret. keysize can be between 16 and 512, saltsize can be between 8 and 32.

This function returns string that looks like this:


All parts present a hex dump of their values.

local h1 = scrypt.crypt "My Secret"
local h2 = scrypt.crypt{
    secret  = "My Secret",
    keysize = 512 

boolean scrypt.check(secret, hash)

With this function you can check if the secret really matches with the hash that was generated with scrypt.crypt from the same secret. The hash contains also the configuration parameters like n, r, p and salt.

local b1 = scrypt.check("My Secret", scrypt.crypt "My Secret") -- returns true
local b2 = scrypt.check("My Secret", scrypt.crypt "No Secret") -- returns false

n, r, p scrypt.calibrate(maxmem, maxmemfrac, maxtime)

This function can be used to count n, r, and p configuration values from maxmem, maxmemfrac and maxtime parameters. These are the defaults for those:

maxmem     = 1048576
maxmemfrac = 0.5
maxtime    = 0.2

The results may change depending on your computer's processing power.

local n,r,p = scrypt.calibrate()
local hash  = scrypt.crypt{
    secret  = "My Secret",
    n = n,
    r = r,
    p = p

number scrypt.memoryuse(n, r, p)

Counts the memory use of scrypt-algorigth with the provided n, r, and p arguments.

local memoryuse = scrypt.memoryuse(scrypt.calibrate())

Default parameters for n, r, and p are:

n = 32768
r = 8
p = 1


You may find additional configuration tips and documentation for this module in the GitHub repository for nginx-module-scrypt.