Salt and IV Encoding
Initially, the EncryptContent
processor had a single method of deriving
the encryption key from a user-provided password. This is now referred to as
NiFiLegacy
mode, effectively MD5 digest, 1000
iterations
. In v0.4.0, another method of deriving the key, OpenSSL
PKCS#5 v1.5 EVP_BytesToKey
was added for compatibility with content encrypted
outside of NiFi using the openssl
command-line tool. Both of these Key Derivation Functions (KDF) had
hard-coded digest functions and iteration counts, and the salt format was also hard-coded.
With v0.5.0, additional KDFs are introduced with variable iteration counts, work factors,
and salt formats. In addition, raw keyed encryption was also introduced. This
required the capacity to encode arbitrary salts and Initialization Vectors (IV) into the
cipher stream in order to be recovered by NiFi or a follow-on system to decrypt these
messages.
For the existing KDFs, the salt format has not changed.