Derive a cryptographic key from a password using PBKDF2 (RFC 8018). Returns the hex-encoded derived key along with all parameters used, so you can store or verify them later. Supports sha1, sha256, sha384, sha512 digests.