Encrypted Passwords in Flows

NiFi always stores all sensitive values (passwords, tokens, and other credentials) populated into a flow in an encrypted format on disk. The encryption algorithm used is specified by nifi.sensitive.props.algorithm and the password from which the encryption key is derived is specified by nifi.sensitive.props.key in nifi.properties (see Security Configuration for additional information). Prior to version 1.12.0, the list of available algorithms was all password-based encryption (PBE) algorithms supported by the EncryptionMethod enum in that version. Unfortunately many of these algorithms are provided for legacy compatibility, and use weak key derivation functions and block cipher algorithms & modes of operation. In 1.12.0, a pair of custom algorithms was introduced for security-conscious users looking for more robust protection of the flow sensitive values. These options combine the Argon2id KDF with reasonable cost parameters (216 or 65,536 KB of memory, 5 iterations, and parallelism 8) with an authenticated encryption with associated data (AEAD) mode of operation, AES-G/CM (Galois Counter Mode). The algorithms are specified as:

  • NIFI_ARGON2_AES_GCM_256 - 256-bit key length

  • NIFI_ARGON2_AES_GCM_128 - 128-bit key length

Both options require a password (nifi.sensitive.props.key value) of at least 12 characters. This means the "default" value (if left empty, a hard-coded default is used) will not be sufficient.

These options provide a bridge solution to higher security without requiring a change to the structure of nifi.properties. A more full-featured configuration process, allowing for arbitrary combinations of KDFs and encryption algorithms, will be added in a future release. See NIFI-7668 and NIFI-7670 for more details.