[
https://issues.apache.org/jira/browse/NIFI-14066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17903659#comment-17903659
]
David Handermann commented on NIFI-14066:
-----------------------------------------
[~mattyb149] Are you planning on implementing new encryption record path
functions? If so, it would be helpful to outline the general implementation
approach.
Earlier versions of NiFi included a good deal of custom encryption and
decryption code for the EncryptContent Processor, most of which is now removed.
We should avoid introducing some new custom encryption format that is only
compatible with NiFi itself, so building on an existing standard would be an
important part of the implementation. Furthermore, historical algorithm
selection had too many insecure configuration options, so we should avoid
anything that supports legacy algorithms or problems that can accompany
algorithm negotiation.
Lastly for the moment, the issue description does not define the intended scope
of protection for encrypted record paths. If the goal to encrypt fields for
eventual decryption in an external system, that highlights the importance of
building against an interoperable standard. Message-based encryption options
include OpenPGP and age-encryption.org, although these are probably not optimal
for field-level encryption. Parquet has the concept of field-level encryption,
so that might be worth considering as an open and interoperable standard.
Glad to discuss the details further, but hopefully that provides some useful
background.
> Create Encrypt/Decrypt RecordPath functions
> -------------------------------------------
>
> Key: NIFI-14066
> URL: https://issues.apache.org/jira/browse/NIFI-14066
> Project: Apache NiFi
> Issue Type: New Feature
> Components: Extensions
> Affects Versions: 1.3.0
> Reporter: Andy LoPresto
> Assignee: Matt Burgess
> Priority: Major
> Labels: encryption, records, security
> Time Spent: 20m
> Remaining Estimate: 0h
>
> From a user:
> {quote}
> As a dataflow manager, I would love to use a processor such as UpdateRecord
> to encrypt/decrypt fields in my record objects. I could provide the key
> (preferably via sensitive context parameter) and the algorithm.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
