[ https://issues.apache.org/jira/browse/NIFI-8246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293047#comment-17293047 ]
David Handermann commented on NIFI-8246: ---------------------------------------- Sensitive Properties Algorithms with Secure Key Derivation Functions require a password with a minimum of 12 characters. Changes in NIFI-8230 for a longer random key are required prior to change the default algorithm. > Set Default Sensitive Properties Algorithm with Improved KDF and Encryption > --------------------------------------------------------------------------- > > Key: NIFI-8246 > URL: https://issues.apache.org/jira/browse/NIFI-8246 > Project: Apache NiFi > Issue Type: Sub-task > Components: Security > Affects Versions: 1.13.0 > Reporter: David Handermann > Assignee: David Handermann > Priority: Major > > The default Sensitive Properties Algorithm specified using > {{nifi.sensitive.properties.algorithm}} in {{nifi.properties}} has been > {{PBEWITHMD5AND256BITAES-CBC-OPENSSL}} since early release versions. This > default value relies on the {{NiFiLegacyCipherProvider}}, which is > deprecated. The {{NiFiLegacyCipherProvider}} uses the MD5 hash algorithm > with 1000 iterations and a random salt. This algorithm configuration also > specifies AES with CBC, which does not provide Authenticated Encryption with > Associated Data. > Recent NiFi versions support the Argon2 secure hashing algorithm and AES in > Galois/Counter Mode. NIFI-7668 introduces support for additional secure > hashing algorithms along with support for AES-GCM. One of the options that > incorporates an improved Key Derivation Function and AES-GCM should be set as > the default sensitive properties algorithm in order to provide greater > security for encryption of sensitive properties. -- This message was sent by Atlassian Jira (v8.3.4#803005)