How to unlock Hive securedBox on Flutter using a master password

I want my user to unlock an encrypted database only if he inputs the correct master password. I’m using Hive to encrypt my database with AES. I also want this to work on all plattforms, so i can’t use flutter_secure_storage as recommended in the documentation. So I thought of 2 options for solving this problem, but I’m not really satisfied with either of them.

kdf = key derivation function

uipw = user input password

cpw = correct password

key = key to unlock Hive database

  1. Store kdf(cpw) in unencrypted database. Then check kdf(uipw) = kdf(cpw) on user input. If correct, use key = kdf(cpw). The problem here is, that an attacker could just use kdf(cpw) to unlock the database. I could f.e. use a different kdf for unlocking the database, but I feel like there has to be a “smarter” solution.
  2. Try to unlock Hive with key = kdf(uipw) directly. If the uipw is wrong, Hive throws “HiveError: Wrong checksum in hive file. Box may be corrupted.”. I could try and catch that using runZonedGuarded(() {…}(Object error, StackTrace stack) { }). However, it is unclear if that will always happen, because Hive doesn’t expicitly state it in the documentation (although it would make sense). It just refers to “possible unexpected behavoir”, if the key is wrong. Even more, it goes against the paradigma of errors not supposed to be caught, which if have a bad gut feeling about.

Here is some sample code, so you get an understanding of how my approaches are supposed to work:

Future<void> option1() async {
  await Hive.deleteBoxFromDisk('login');
  await Hive.deleteBoxFromDisk('database');

  //user creates master pw for login
  final cpw = "1234";
  Box box = await Hive.openBox('login');
  box.put('CorrectPWHashed', _kdf(cpw));
  await box.close();

  //user trys to login
  final uipw = "1235";
  box = await Hive.openBox('login');
  bool pwCorrect = _kdf(uipw) == await box.get('CorrectPWDerived');
  if(pwCorrect)
    //maybe different kdf here?
    Hive.openBox('database',encryptionCipher: HiveAesCipher(_kdf(uipw)));

}

Future<void> option2() async {
  await Hive.deleteBoxFromDisk('database');

  //user creates master pw for login
  final cpw = "1234";
  Uint8List keyCPW = _kdf(cpw);
  Box box = await Hive.openBox('database', encryptionCipher: HiveAesCipher(keyCPW), crashRecovery: false);
  await box.close();

  //user trys to login
  runZonedGuarded(() async {
    final uipw = "1235";
    final keyUIPW = _kdf(uipw);
    box = await Hive.openBox('database', encryptionCipher: HiveAesCipher(keyUIPW), crashRecovery: false);
    await box.close();
  }, (Object error, StackTrace stack) {
    print("handling error here...");
  });
}

//very simple kdf for demonstration purpose!
Uint8List _kdf(String pw) {
final digest = SHA256Digest();
final result = digest.process(Uint8List.fromList(utf8.encode(pw)));
return result;
}

Any solutions to approach the is problem are very much welcome!