EncryptContent

Deprecation notice:

EncryptContentAge or EncryptContentPGP should be used for encrypting new files using standard formatting. DecryptContent supports deciphering historical files.

Please consider using one the following alternatives: EncryptContentPGP,DecryptContentPGP,DecryptContent,DecryptContentCompatibility,EncryptContentAge,DecryptContentAge

Description:

Encrypts or Decrypts a FlowFile using either symmetric encryption with a raw key or password and randomly generated salt, or asymmetric encryption using a public and secret key.

Additional Details...

Tags:

encryption, decryption, password, JCE, KDF, Argon2, Bcrypt, Scrypt, PBKDF2, salt, iv

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property supports the NiFi Expression Language.

Display NameAPI NameDefault ValueAllowable ValuesDescription
ModeModeEncrypt
  • Encrypt
  • Decrypt
Specifies whether the content should be encrypted or decrypted
Key Derivation Functionkey-derivation-functionNone
  • None The cipher is given a raw key conforming to the algorithm specifications
  • NiFi Legacy KDF MD5 @ 1000 iterations
  • OpenSSL EVP_BytesToKey Single iteration MD5 compatible with PKCS#5 v1.5
  • Bcrypt Bcrypt with configurable work factor. See Admin Guide
  • Scrypt Scrypt with configurable cost parameters. See Admin Guide
  • PBKDF2 PBKDF2 with configurable hash function and iteration count. See Admin Guide
  • Argon2 Argon2 with configurable cost parameters. See Admin Guide.
Specifies the key derivation function to generate the key from the password (and salt)
Encryption AlgorithmEncryption AlgorithmAES_GCM
  • MD5_128AES org.apache.nifi.security.util.EncryptionMethod@98be09f[Algorithm name=PBEWITHMD5AND128BITAES-CBC-OPENSSL,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • MD5_192AES EncryptionMethod[Algorithm name=PBEWITHMD5AND192BITAES-CBC-OPENSSL,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • MD5_256AES EncryptionMethod[Algorithm name=PBEWITHMD5AND256BITAES-CBC-OPENSSL,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • MD5_DES EncryptionMethod[Algorithm name=PBEWITHMD5ANDDES,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • MD5_RC2 EncryptionMethod[Algorithm name=PBEWITHMD5ANDRC2,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA1_RC2 EncryptionMethod[Algorithm name=PBEWITHSHA1ANDRC2,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA1_DES EncryptionMethod[Algorithm name=PBEWITHSHA1ANDDES,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_128AES EncryptionMethod[Algorithm name=PBEWITHSHAAND128BITAES-CBC-BC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_192AES EncryptionMethod[Algorithm name=PBEWITHSHAAND192BITAES-CBC-BC,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_256AES EncryptionMethod[Algorithm name=PBEWITHSHAAND256BITAES-CBC-BC,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_40RC2 EncryptionMethod[Algorithm name=PBEWITHSHAAND40BITRC2-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_128RC2 EncryptionMethod[Algorithm name=PBEWITHSHAAND128BITRC2-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_40RC4 EncryptionMethod[Algorithm name=PBEWITHSHAAND40BITRC4,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_128RC4 EncryptionMethod[Algorithm name=PBEWITHSHAAND128BITRC4,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA256_128AES EncryptionMethod[Algorithm name=PBEWITHSHA256AND128BITAES-CBC-BC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA256_192AES EncryptionMethod[Algorithm name=PBEWITHSHA256AND192BITAES-CBC-BC,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA256_256AES EncryptionMethod[Algorithm name=PBEWITHSHA256AND256BITAES-CBC-BC,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_2KEYTRIPLEDES EncryptionMethod[Algorithm name=PBEWITHSHAAND2-KEYTRIPLEDES-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_3KEYTRIPLEDES EncryptionMethod[Algorithm name=PBEWITHSHAAND3-KEYTRIPLEDES-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_TWOFISH EncryptionMethod[Algorithm name=PBEWITHSHAANDTWOFISH-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • PGP EncryptionMethod[Algorithm name=PGP,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • PGP_ASCII_ARMOR EncryptionMethod[Algorithm name=PGP-ASCII-ARMOR,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • AES_CBC_NO_PADDING EncryptionMethod[Algorithm name=AES/CBC/NoPadding,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=true,Keyed cipher=true]
  • AES_CBC EncryptionMethod[Algorithm name=AES/CBC/PKCS7Padding,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=true,Keyed cipher=true]
  • AES_CTR EncryptionMethod[Algorithm name=AES/CTR/NoPadding,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=true,Keyed cipher=true]
  • AES_GCM EncryptionMethod[Algorithm name=AES/GCM/NoPadding,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=true,Keyed cipher=true]
The Encryption Algorithm to use
Allow insecure cryptographic modesallow-weak-cryptoNot Allowed
  • Allowed Operation will not be blocked and no alerts will be presented when unsafe combinations of encryption algorithms and passwords are provided
  • Not Allowed When set, operation will be blocked and alerts will be presented to the user if unsafe combinations of encryption algorithms and passwords are provided on a JVM with limited strength crypto. To fix this, see the Admin Guide.
Overrides the default behavior to prevent unsafe combinations of encryption algorithms and short passwords on JVMs with limited strength cryptographic jurisdiction policies
PasswordPasswordThe Password to use for encrypting or decrypting the data
Sensitive Property: true
Raw Key (hexadecimal)raw-key-hexIn keyed encryption, this is the raw key, encoded in hexadecimal
Sensitive Property: true
Public Keyring Filepublic-keyring-fileIn a PGP encrypt mode, this keyring contains the public key of the recipient
Public Key User Idpublic-key-user-idIn a PGP encrypt mode, this user id of the recipient
Private Keyring Fileprivate-keyring-fileIn a PGP decrypt mode, this keyring contains the private key of the recipient
Private Keyring Passphraseprivate-keyring-passphraseIn a PGP decrypt mode, this is the private keyring passphrase
Sensitive Property: true
Supports Expression Language: true (will be evaluated using variable registry only)
PGP Symmetric Cipherpgp-symmetric-cipherAES_128
  • IDEA
  • TRIPLE_DES
  • CAST5
  • BLOWFISH
  • DES
  • AES_128
  • AES_192
  • AES_256
  • TWOFISH
  • CAMELLIA_128
  • CAMELLIA_192
  • CAMELLIA_256
When using PGP encryption, this is the symmetric cipher to be used. This property is ignored if Encryption Algorithm is not PGP or PGP-ASCII-ARMOR Note that the provided cipher is only used duringthe encryption phase, while it is inferred from the ciphertext in the decryption phase

Relationships:

NameDescription
successAny FlowFile that is successfully encrypted or decrypted will be routed to success
failureAny FlowFile that cannot be encrypted or decrypted will be routed to failure

Reads Attributes:

None specified.

Writes Attributes:

NameDescription
encryptcontent.action"encrypted" or "decrypted" depending on the processor action
encryptcontent.algorithmThe algorithm used for the cryptographic operation
encryptcontent.cipher_text_lengthThe cipher text length in bytes (including IV, salt, and delimiters if present). Determined from incoming content in decrypt mode; outgoing content in encrypt mode
encryptcontent.ivThe Initialization Vector in hex encoding (if present)
encryptcontent.iv_lengthThe IV length in bytes
encryptcontent.kdfThe Key Derivation Function used if Password-Based Encryption was enabled. See Admin Guide - Key Derivation Functions
encryptcontent.kdf_saltThe KDF-specific salt including algorithm and cost parameters (if present). See Admin Guide - Key Derivation Functions
encryptcontent.kdf_salt_lengthThe KDF salt length in bytes
encryptcontent.pbkdf2_iterationsThe number of iterations used in PBKDF2 KDF (if present). PBKDF2 does not encode the cost parameter in a custom salt
encryptcontent.plaintext_lengthThe plaintext length in bytes. Determined from incoming content in encrypt mode; outgoing content in decrypt mode
encryptcontent.saltThe raw salt in hex encoding (if present)
encryptcontent.salt_lengthThe raw salt length in bytes
encryptcontent.timestampThe timestamp at which the cryptographic operation occurred in 'yyyy-MM-dd HH:mm:ss.SSS Z' format

State management:

This component does not store state.

Restricted:

This component is not restricted.

Input requirement:

This component requires an incoming relationship.

System Resource Considerations:

ResourceDescription
CPUAn instance of this component can cause high usage of this system resource. Multiple instances or high concurrency settings may result a degradation of performance.