Password Key Derivation
Instead of providing a 32 or 64 character raw hexadecimal key, you can provide a password from which the key will be derived. As of 1.0.0, the password must be at least 12 characters, and the key will be derived using SCrypt with the parameters:
-
pw- the password bytes inUTF-8 -
salt- the fixed salt value (NIFI_SCRYPT_SALT) bytes inUTF-8 -
N- 216 -
r- 8 -
p- 1 -
dkLen- determined by the JCE policies available
As of August 2016, these values are determined to be strong for this threat model but may change in future versions.
 | Note |
|---|---|
While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value. |