Mix entropy with hmac instead of xor

[alokmenghrajani]

Xor was simpler to implement but hmac would be cleaner.

[ivmaykov]

I'm probably being too pedantic here, but we should probably use a proper KDF rather than hmac. Some options would be: HKDF, PBKDF, or Argon2.

[alokmenghrajani]

Agree. It's probably overkill (even a simple hash of the two concatenated buffers should be fine). It's computationally cheap to use a KDF and buys some peace of mind.