diff --git a/lib/std/crypto/pbkdf2.zig b/lib/std/crypto/pbkdf2.zig
index 1ba176ab9b..85c8e01105 100644
--- a/lib/std/crypto/pbkdf2.zig
+++ b/lib/std/crypto/pbkdf2.zig
@@ -36,6 +36,14 @@ const maxInt = std.math.maxInt;
 
 // Based on Apple's CommonKeyDerivation, based originally on code by Damien Bergamini.
 
+pub const Pbkdf2Error = error{
+    /// At least one round is required
+    TooFewRounds,
+
+    /// Maximum length of the derived key is `maxInt(u32) * Prf.mac_length`
+    DerivedKeyTooLong,
+};
+
 /// Apply PBKDF2 to generate a key from a password.
 ///
 /// PBKDF2 is defined in RFC 2898, and is a recommendation of NIST SP 800-132.
@@ -54,7 +62,7 @@ const maxInt = std.math.maxInt;
 ///         the derivedKey. It is common to tune this parameter to achieve approximately 100ms.
 ///
 /// Prf: Pseudo-random function to use. A common choice is `std.crypto.auth.hmac.HmacSha256`.
-pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) !void {
+pub fn pbkdf2(derivedKey: []u8, password: []const u8, salt: []const u8, rounds: u32, comptime Prf: type) Pbkdf2Error!void {
     if (rounds < 1) return error.TooFewRounds;
 
     const dkLen = derivedKey.len;