David Handermann created NIFI-13494:
---------------------------------------
Summary: Remove Repository Encryption
Key: NIFI-13494
URL: https://issues.apache.org/jira/browse/NIFI-13494
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Reporter: David Handermann
Assignee: David Handermann
NiFi introduced initial support for provenance repository encryption in version
1.2.0 and and expanded support to other repositories in versions 1.10.0 and
1.11.0. NiFi 1.15.0 introduced refactored support for repository encryption,
but retained the same fundamental implementation strategy.
The initial implementation support AES with configurable key sizes, using
AES-CTR for the content repository and AES-GCM for the FlowFile and Provenance
repositories. Although the foundational algorithms provide good security, the
implementation itself has several fundamental issues, including use of Java
Object serialization for metadata storage, storing the encryption key on the
same file system, and the limitations around key reuse for AES.
The current implementation for Java Object serialization mitigates some
potential issues, but fundamental conflicts related to class names and
structures are inherent with Java Object serialization.
Storing the encryption key on the file system provides limited security and
raises questions about the overall threat model for repository encryption.
AES has size limitations for the security related to the number of encryption
operations for the same key. Although manual key rotation is an option in the
current setup, it is not required, presenting other security concerns.
Based on the current implementation issues, the repository encryption
components should be removed from the main branch. Consideration of a future
implementation should begin with key storage solutions, similar to the concerns
surrounding encryption of application properties.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
