[jira] [Commented] (NIFI-2961) Create EncryptAttribute processor

Fri, 20 Jan 2017 16:25:10 -0800 

    [ 
https://issues.apache.org/jira/browse/NIFI-2961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15832662#comment-15832662
 ] 

ASF GitHub Bot commented on NIFI-2961:
--------------------------------------

Github user alopresto commented on the issue:

    https://github.com/apache/nifi/pull/1294
  
    I am currently making some commits to this PR (on a local branch which I 
will post later) to resolve some of the issues recently encountered:
    
    * Improper access scope of property fields
    * Unit tests incorrectly modified to reference raw `name` instead of 
`displayName` in validation error messages
    * `Public Keyring` property pointed at `Private Keyring`
    * Incorrectly reverted default KDF from `Bcrypt` to `Legacy KDF` 
(deprecated)
    
    As this touches sensitive code within the application (not only does it add 
a new processor which users will trust to encrypt sensitive attributes, but it 
also rewrites `EncryptContent` which is already widely-used in production 
systems), we need to be very careful that regression tests are passing, the 
cryptographic code is correct and safe, and we follow the principle of least 
surprise for users. 


> Create EncryptAttribute processor
> ---------------------------------
>
>                 Key: NIFI-2961
>                 URL: https://issues.apache.org/jira/browse/NIFI-2961
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: Extensions
>    Affects Versions: 1.0.0
>            Reporter: Andy LoPresto
>              Labels: attributes, encryption, security
>
> Similar to {{EncryptContent}}, the {{EncryptAttribute}} processor would allow 
> individual (and multiple) flowfile attributes to be encrypted (either 
> in-place or to a new attribute key) with various encryption algorithms (AES, 
> RSA, PBE, and PGP). 
> Specific compatibility with the {{OpenSSL EVP_BytesToKey}}, {{PBKDF2}}, 
> {{scrypt}}, and {{bcrypt}} key derivation functions should be included. 
> The processor should provide the boolean option to encrypt or decrypt (only 
> one operation per instance of the processor). The processor should also allow 
> Base64 encoding (aka ASCII armor) for the encrypted attributes to prevent 
> byte escaping/data loss. 
> If [dangerous processor 
> annotations|https://cwiki.apache.org/confluence/display/NIFI/Security+Feature+Roadmap]
>  are introduced, this processor should be marked as such and the 
> corresponding attribute protection (i.e. provenance before/after, etc.) 
> should be applied. 
> Originally requested in this [Stack Overflow 
> question|https://stackoverflow.com/questions/40294945/nifi-encrypt-json].  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to