EncryptContent

Description:

Encrypts or Decrypts a FlowFile using either symmetric encryption with a raw key or password and randomly generated salt, or asymmetric encryption using a public and secret key.

Additional Details...

Tags:

encryption, decryption, password, JCE, KDF, Argon2, Bcrypt, Scrypt, PBKDF2, salt, iv

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property supports the NiFi Expression Language.

Display Name	API Name	Default Value	Allowable Values	Description
Mode	Mode	Encrypt	Encrypt Decrypt	Specifies whether the content should be encrypted or decrypted
Key Derivation Function	key-derivation-function	None	None NiFi Legacy KDF OpenSSL EVP_BytesToKey Bcrypt Scrypt PBKDF2 Argon2	Specifies the key derivation function to generate the key from the password (and salt)
Encryption Algorithm	Encryption Algorithm	AES_GCM	MD5_128AES MD5_192AES MD5_256AES MD5_DES MD5_RC2 SHA1_RC2 SHA1_DES SHA_128AES SHA_192AES SHA_256AES SHA_40RC2 SHA_128RC2 SHA_40RC4 SHA_128RC4 SHA256_128AES SHA256_192AES SHA256_256AES SHA_2KEYTRIPLEDES SHA_3KEYTRIPLEDES SHA_TWOFISH PGP PGP_ASCII_ARMOR AES_CBC_NO_PADDING AES_CBC AES_CTR AES_GCM	The Encryption Algorithm to use
Allow insecure cryptographic modes	allow-weak-crypto	Not Allowed	Allowed Not Allowed	Overrides the default behavior to prevent unsafe combinations of encryption algorithms and short passwords on JVMs with limited strength cryptographic jurisdiction policies
Password	Password			The Password to use for encrypting or decrypting the data Sensitive Property: true
Raw Key (hexadecimal)	raw-key-hex			In keyed encryption, this is the raw key, encoded in hexadecimal Sensitive Property: true
Public Keyring File	public-keyring-file			In a PGP encrypt mode, this keyring contains the public key of the recipient
Public Key User Id	public-key-user-id			In a PGP encrypt mode, this user id of the recipient
Private Keyring File	private-keyring-file			In a PGP decrypt mode, this keyring contains the private key of the recipient
Private Keyring Passphrase	private-keyring-passphrase			In a PGP decrypt mode, this is the private keyring passphrase Sensitive Property: true Supports Expression Language: true (will be evaluated using variable registry only)
PGP Symmetric Cipher	pgp-symmetric-cipher	AES_128	IDEA TRIPLE_DES CAST5 BLOWFISH DES AES_128 AES_192 AES_256 TWOFISH CAMELLIA_128 CAMELLIA_192 CAMELLIA_256	When using PGP encryption, this is the symmetric cipher to be used. This property is ignored if Encryption Algorithm is not PGP or PGP-ASCII-ARMOR Note that the provided cipher is only used duringthe encryption phase, while it is inferred from the ciphertext in the decryption phase

Relationships:

Name	Description
success	Any FlowFile that is successfully encrypted or decrypted will be routed to success
failure	Any FlowFile that cannot be encrypted or decrypted will be routed to failure

Reads Attributes:

None specified.

Writes Attributes:

Name	Description
encryptcontent.action	"encrypted" or "decrypted" depending on the processor action
encryptcontent.algorithm	The algorithm used for the cryptographic operation
encryptcontent.cipher_text_length	The cipher text length in bytes (including IV, salt, and delimiters if present). Determined from incoming content in decrypt mode; outgoing content in encrypt mode
encryptcontent.iv	The Initialization Vector in hex encoding (if present)
encryptcontent.iv_length	The IV length in bytes
encryptcontent.kdf	The Key Derivation Function used if Password-Based Encryption was enabled. See Admin Guide - Key Derivation Functions
encryptcontent.kdf_salt	The KDF-specific salt including algorithm and cost parameters (if present). See Admin Guide - Key Derivation Functions
encryptcontent.kdf_salt_length	The KDF salt length in bytes
encryptcontent.pbkdf2_iterations	The number of iterations used in PBKDF2 KDF (if present). PBKDF2 does not encode the cost parameter in a custom salt
encryptcontent.plaintext_length	The plaintext length in bytes. Determined from incoming content in encrypt mode; outgoing content in decrypt mode
encryptcontent.salt	The raw salt in hex encoding (if present)
encryptcontent.salt_length	The raw salt length in bytes
encryptcontent.timestamp	The timestamp at which the cryptographic operation occurred in 'yyyy-MM-dd HH:mm:ss.SSS Z' format

State management:

This component does not store state.

Restricted:

This component is not restricted.

Input requirement:

This component requires an incoming relationship.

System Resource Considerations:

Resource	Description
CPU	An instance of this component can cause high usage of this system resource. Multiple instances or high concurrency settings may result a degradation of performance.