The default Sensitive Properties Algorithm specified using nifi.sensitive.properties.algorithm in nifi.properties has been PBEWITHMD5AND256BITAES-CBC-OPENSSL since early release versions. This default value relies on the NiFiLegacyCipherProvider, which is deprecated. The NiFiLegacyCipherProvider uses the MD5 hash algorithm with 1000 iterations and a random salt. This algorithm configuration also specifies AES with CBC, which does not provide Authenticated Encryption with Associated Data.
Recent NiFi versions support the Argon2 secure hashing algorithm and AES in Galois/Counter Mode.
NIFI-7668 introduces support for additional secure hashing algorithms along with support for AES-GCM. One of the options that incorporates an improved Key Derivation Function and AES-GCM should be set as the default sensitive properties algorithm in order to provide greater security for encryption of sensitive properties.