You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2023/09/10 01:28:00 UTC
[jira] [Created] (NIFI-12033) Add Processors Supporting age-encryption.org
David Handermann created NIFI-12033:
---------------------------------------
Summary: Add Processors Supporting age-encryption.org
Key: NIFI-12033
URL: https://issues.apache.org/jira/browse/NIFI-12033
Project: Apache NiFi
Issue Type: Improvement
Components: Extensions, Security
Reporter: David Handermann
Assignee: David Handermann
Fix For: 1.latest, 2.latest
The [age-encryption.org/v1|https://age-encryption.org/v1] specification provides a modern alternative to protocols such as OpenPGP for encrypting and decrypting files. The age specification uses [ChaCha20-Poly1305|https://en.wikipedia.org/wiki/ChaCha20-Poly1305] for authenticated encryption of file payloads, and supports asymmetric key pairs using the [Curve25519|https://en.wikipedia.org/wiki/Curve25519] algorithm with Diffie-Hellman key exchange, known as X25519. The age X25519 recipient type represents public and private keys using a human-readable encoding named [Bech32|https://en.bitcoin.it/wiki/Bech32]. The age command is available on all modern operating systems. These security and usability properties make it a better solution for file encryption use cases than current custom processing strategies in Processors such as EncryptContent.
The [Jagged|https://github.com/exceptionfactory/jagged] project provides an implementation of the age encryption specification for Java. New EncryptContentAge and DecryptContentAge Processors should be implemented that support the X25519 recipient type, with options for property-based or file-based keys. The age standard supports ASCII armored encoding, which is helpful for some use cases that cannot handle raw binary. The default file encoding setting should be binary for optimal size and performance characteristics.
Java 11 and 17 support ChaCha20-Poly1305 and X25519, but Java 8 requires another Security Provider, such as Bouncy Castle. Cryptographic algorithm support can be checked at runtime to support transparent fallback to Bouncy Castle. These new Processors should be functional on both the support branch and main branch to provide a migration path from other solutions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)