[
https://issues.apache.org/jira/browse/NIFI-8246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pierre Villard updated NIFI-8246:
---------------------------------
Fix Version/s: 1.14.0
Resolution: Fixed
Status: Resolved (was: Patch Available)
> Set Default Sensitive Properties Algorithm with Improved KDF and Encryption
> ---------------------------------------------------------------------------
>
> Key: NIFI-8246
> URL: https://issues.apache.org/jira/browse/NIFI-8246
> Project: Apache NiFi
> Issue Type: Sub-task
> Components: Security
> Affects Versions: 1.13.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Fix For: 1.14.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The default Sensitive Properties Algorithm specified using
> {{nifi.sensitive.properties.algorithm}} in {{nifi.properties}} has been
> {{PBEWITHMD5AND256BITAES-CBC-OPENSSL}} since early release versions. This
> default value relies on the {{NiFiLegacyCipherProvider}}, which is
> deprecated. The {{NiFiLegacyCipherProvider}} uses the MD5 hash algorithm
> with 1000 iterations and a random salt. This algorithm configuration also
> specifies AES with CBC, which does not provide Authenticated Encryption with
> Associated Data.
> Recent NiFi versions support the Argon2 secure hashing algorithm and AES in
> Galois/Counter Mode. NIFI-7668 introduces support for additional secure
> hashing algorithms along with support for AES-GCM. One of the options that
> incorporates an improved Key Derivation Function and AES-GCM should be set as
> the default sensitive properties algorithm in order to provide greater
> security for encryption of sensitive properties.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
