Salt and IV Encoding
Initially, the EncryptContent
processor had a single method of deriving
the encryption key from a user-provided password. This is now referred to as
NiFiLegacy
mode, effectively MD5 digest, 1000
iterations
. In v0.4.0, another method of deriving the key, OpenSSL
PKCS#5 v1.5 EVP_BytesToKey
was added for compatibility with content encrypted
outside of NiFi using the openssl
command-line tool. Both of these key
derivation functions
(KDF) had hard-coded digest functions and iteration counts, and the salt format was also
hard-coded. With v0.5.0, additional KDFs are introduced with variable iteration counts,
work factors, and salt formats. In addition, raw keyed encryption was also
introduced. This required the capacity to encode arbitrary salts and Initialization Vectors
(IV) into the cipher stream in order to be recovered by NiFi or a follow-on system to
decrypt these messages.
For the existing KDFs, the salt format has not changed.