Allow Insecure Cryptographic Modes
By default, the Allow Insecure Cryptographic Modes
property in EncryptContent
processor settings is set to not-allowed
. This means that if a password of fewer than 10
characters is provided, a validation error will occur. 10 characters is a conservative estimate and does not take into consideration full entropy calculations, patterns, etc.
On a JVM with limited strength cryptography, some PBE algorithms limit the maximum password length to 7, and in this case it will not be possible to provide a "safe" password. It is recommended to install the JCE Unlimited Strength Jurisdiction Policy files for the JVM to mitigate this issue.
If on a system where the unlimited strength policies cannot be installed, it is recommended to switch to an algorithm that supports longer passwords (see table above).
If it is not possible to install the unlimited strength jurisdiction policies, the
Allow Weak Crypto
setting can be changed to allowed
,
but this is not recommended. Changing this setting explicitly acknowledges
the inherent risk in using weak cryptographic configurations.
It is preferable to request upstream/downstream systems to switch to https://cwiki.apache.org/confluence/display/NIFI/Encryption+Information or use a "strong" https://cwiki.apache.org/confluence/display/NIFI/Key+Derivation+Function+Explanations.