Why is sha512 output different?


If I use sha512 to hash a string:

user@~/$ terraform console
> sha512("hello world")

the output is in a different format versus other tools such as mkpasswd:

user@~/$ mkpasswd --method=sha512crypt "hello world"

and python crypt.crypt:

user@~/$ python -c 'import crypt,getpass;print(crypt.crypt("hello world"))'

Is there any way to create these other tools’ format using Terraform? Sorry if this is a newb cryptography question!

Many thanks.

The format from Terraform is pure 512 bit SHA-2. You will get the same output from the sha512sum command:

$ echo -n 'hello world' | sha512sum
309ecc489c12d6eb4cc40f50c902f2b4d0ed77ee511a7c7a9bcd3ca86d4cd86f989dd35bc5ff499670da34255b45b0cfd830e81f605dcf7dc5542e93ae9cd76f  -

The other format you show above is not just SHA-2 512, but is a salted variant called sha512crypt. Quoting from the crypt(5) Linux man page:

A hash based on SHA-2 with 512-bit output, originally developed by Ulrich Drepper for GNU libc. Supported on Linux but not common elsewhere. Acceptable for new hashes. The default CPU time cost parameter is 5000, which is too low for modern hardware.

I guess sha512crypt support in Terraform is a feature request then. “Supported on Linux” means common these days :slight_smile: