You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Andy LoPresto (Jira)" <ji...@apache.org> on 2020/07/14 23:42:00 UTC

[jira] [Created] (NIFI-7638) Add PBE AEAD sensitive flow property protection scheme

Andy LoPresto created NIFI-7638:
-----------------------------------

             Summary: Add PBE AEAD sensitive flow property protection scheme
                 Key: NIFI-7638
                 URL: https://issues.apache.org/jira/browse/NIFI-7638
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Configuration Management, Core Framework
    Affects Versions: 1.11.4
            Reporter: Andy LoPresto
            Assignee: Andy LoPresto


A user requested a change from AES-CBC to AES-G/CM for the {{nifi.sensitive.props.algorithm}} in {{nifi.properties}}. The current possible values are all {{EncryptionMethod}} enum values, which includes raw (directly-keyed vs. PBE) AES-G/CM, but this would require a valid hexadecimal-encoded AES key in the {{nifi.sensitive.props.key}} value. One or more new {{EncryptionMethod}} entries which combine reasonable default values for a KDF (Argon2, bcrypt, scrypt, PBKDF2) and AEAD mode of operation (AES-G/CM) would allow for simpler configuration and migration. The other option is to enhance the {{EncryptionMethod}} enum values with custom values in the {{NiFiProperties}} or {{StringEncryptor}} class which provide an additional level of security without modifying the {{EncryptionMethod}} enum directly, as the {{EncryptContent}} processor already allows independent configuration of a KDF and cipher algorithm (see NIFI-7122 / [PR 4228|https://github.com/apache/nifi/pull/4228]). 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)