[
https://issues.apache.org/jira/browse/NIFI-8246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293047#comment-17293047
]
David Handermann commented on NIFI-8246:
----------------------------------------
Sensitive Properties Algorithms with Secure Key Derivation Functions require a
password with a minimum of 12 characters. Changes in NIFI-8230 for a longer
random key are required prior to change the default algorithm.
> Set Default Sensitive Properties Algorithm with Improved KDF and Encryption
> ---------------------------------------------------------------------------
>
> Key: NIFI-8246
> URL: https://issues.apache.org/jira/browse/NIFI-8246
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Security
> Affects Versions: 1.13.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
>
> The default Sensitive Properties Algorithm specified using
> {{nifi.sensitive.properties.algorithm}} in {{nifi.properties}} has been
> {{PBEWITHMD5AND256BITAES-CBC-OPENSSL}} since early release versions. This
> default value relies on the {{NiFiLegacyCipherProvider}}, which is
> deprecated. The {{NiFiLegacyCipherProvider}} uses the MD5 hash algorithm
> with 1000 iterations and a random salt. This algorithm configuration also
> specifies AES with CBC, which does not provide Authenticated Encryption with
> Associated Data.
> Recent NiFi versions support the Argon2 secure hashing algorithm and AES in
> Galois/Counter Mode. NIFI-7668 introduces support for additional secure
> hashing algorithms along with support for AES-GCM. One of the options that
> incorporates an improved Key Derivation Function and AES-GCM should be set as
> the default sensitive properties algorithm in order to provide greater
> security for encryption of sensitive properties.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
