Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-11022

Add Decrypt Processors Compatible with EncryptContent Encoding



    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.20.0
    • Extensions, Security
    • None


      The EncryptContent Processors supports a wide variety of configuration options, enabling both encryption and decryption using various algorithms. Many of these algorithms are not secure according to modern cryptographic analysis, and existing secure options use a custom encoding format. New Processors should be added that support decrypting content according to these legacy and custom formats, which will enable deprecating EncryptContent for removal and replacement with other approaches.

      The majority allowable values for the Encryption Method property in EncryptContent come from the PKCS #5 Password-Based Cryptography Specification, described in RFC 8018. These algorithm names start with PBE and incorporate a message digest function along with a cipher algorithm. Although these methods include AES, the key derivation process for all PBE algorithms follows the PBES1 specification from RFC 8018, which is not secure or suitable for modern applications. The ability to decrypt older content is useful, but new content should not be encrypted using these methods.

      The PBE algorithms can be configured together with either the NiFi Legacy or OpenSSL EVP BytesToKey option for key derivation. The NiFI Legacy option derives from the Jasypt library, which provides a standard wrapper for PBE algorithms that defaults to 1000 iterations of a selected digest algorithm. The OpenSSL EVP option supports compatibility with encryption operations implemented in the OpenSSL library and command.

      Advanced Key Derivation Functions include Argon2, bcrypt, PBKDF2, and scrypt, which can be used together with AES in Galois/Counter Mode (GCM) for authenticated encryption. These options provide much better security than the legacy PBE methods, but they rely on custom file encoding using byte delimiters that are specific to Apache NiFi. In addition, these Key Derivation Functions generate keys of 16 bytes, which supports AES with 128 bit keys, but not AES with 256 bit keys. NiFi 0.5.0 added bcrypt, PBKDF2, and scrypt, and NiFi 1.12.0 added Argon2. Decrypting content according to the custom NiFi encoding should be supported, but other options should be evaluated separately for encryption in new flows. The salt parameter bytes associated with Argon2, bcrypt, and scrypt allow for detection of file encoding, which can enable new decryption processors to be configured without reference to a specific Key Derivation Function.

      Adding new decryption processors will enable clear separation of encryption and decryption operations, providing a compatible transition path for historical usage of EncryptContent without the need to continue supporting insecure encryption methods.


        1. DecryptContent_Flow.json
          177 kB
          David Handermann

        Issue Links



              exceptionfactory David Handermann
              exceptionfactory David Handermann
              0 Vote for this issue
              2 Start watching this issue



                Time Tracking

                  Original Estimate - Not Specified
                  Not Specified
                  Remaining Estimate - 0h
                  Time Spent - 2h 10m
                  2h 10m