Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-7638

Add PBE AEAD sensitive flow property protection scheme

    XMLWordPrintableJSON

    Details

      Description

      A user requested a change from AES-CBC to AES-G/CM for the nifi.sensitive.props.algorithm in nifi.properties. The current possible values are all EncryptionMethod enum values, which includes raw (directly-keyed vs. PBE) AES-G/CM, but this would require a valid hexadecimal-encoded AES key in the nifi.sensitive.props.key value. One or more new EncryptionMethod entries which combine reasonable default values for a KDF (Argon2, bcrypt, scrypt, PBKDF2) and AEAD mode of operation (AES-G/CM) would allow for simpler configuration and migration. The other option is to enhance the EncryptionMethod enum values with custom values in the NiFiProperties or StringEncryptor class which provide an additional level of security without modifying the EncryptionMethod enum directly, as the EncryptContent processor already allows independent configuration of a KDF and cipher algorithm (see NIFI-7122 / PR 4228).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                alopresto Andy LoPresto
                Reporter:
                alopresto Andy LoPresto
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 50m
                  1h 50m