Salt and IV Encoding
Initially, the EncryptContent
processor had a single method of deriving
the encryption key from a user-provided password. This is now referred to as
NiFiLegacy
mode, effectively MD5 digest, 1000
iterations
. In v0.4.0, another method of deriving the key, OpenSSL
PKCS#5 v1.5 EVP_BytesToKey
was added for compatibility with content encrypted
outside of NiFi using the openssl
command-line tool. Both of these Key Derivation Functions (KDF) had hard-coded
digest functions and iteration counts, and the salt format was also hard-coded. With
v0.5.0, additional KDFs are introduced with variable iteration counts, work factors, and
salt formats. In addition, raw keyed encryption was also introduced. This required
the capacity to encode arbitrary salts and Initialization Vectors (IV) into the cipher
stream in order to be recovered by NiFi or a follow-on system to decrypt these
messages.
For the existing KDFs, the salt format has not changed.