Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
NiFi 1.14.0 included new Sensitive Properties Algorithms supporting the following key derivation functions:
- bcrypt
- scrypt
- PBKDF2
NiFi 1.14.0 also changed the default Sensitive Properties Algorithm to NIFI_PBKDF2_AES_GCM_256 to provide better security than the previous default setting.
Algorithm selection can be challenging, making sensible defaults an important part of the standard configuration. Supporting a variety of algorithms introduces unnecessary complexity and maintenance.
Argon2 incorporates both processing and memory cost factors, making it the ideal solution for many deployments. PBKDF2 supports a processing iteration cost factor and is approved for use on systems requiring compliance with FIPS-140 standards. The bcrypt algorithm provides strong security using a configurable work factor, but does not have the memory hardness properties of Argon2. The scrypt algorithm supports both processing and memory cost parameters, similar to Argon2.
Based on algorithm properties, the available options for the NiFi Sensitive Properties Algorithm should be reduced to Argon2 and PBKDF2 with AES-GCM and 256 bit keys.
- NIFI_ARGON2_AES_GCM_256
- NIFI_PBKDF2_AES_GCM_256
The NIFI_ARGON2_AES_GCM_256 option has been available since NiFi 1.12.0. There is little value in supporting non-default 128 bit key variants of AES-GCM for the purpose of encrypting sensitive property values. Deprecating the non-default bcrypt and scrypt variants for removal in NiFi 2.0 will also provide a clearer set of recommendations.
Attachments
Issue Links
- relates to
-
NIFI-11488 Remove Deprecated Sensitive Properties Algorithms
- Resolved
- links to