Password Key Derivation
Instead of providing a 32 or 64 character raw hexadecimal key, you can provide a password from which the key will be derived. As of 1.0.0, the password must be at least 12 characters, and the key will be derived using SCrypt with the parameters:
pw- the password bytes inUTF-8salt- the fixed salt value (NIFI_SCRYPT_SALT) bytes inUTF-8N- 216r- 8p- 1dkLen- determined by the JCE policies available
As of August 2016, these values are determined to be strong for this threat model but may change in future versions.
While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value. |