[NIFI-7638] Add PBE AEAD sensitive flow property protection scheme - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.11.4
Fix Version/s: 1.12.0
Component/s: Configuration Management, Core Framework
Labels:
- aead
- encryption
- kdf
- pbe
- security

Description

A user requested a change from AES-CBC to AES-G/CM for the nifi.sensitive.props.algorithm in nifi.properties. The current possible values are all EncryptionMethod enum values, which includes raw (directly-keyed vs. PBE) AES-G/CM, but this would require a valid hexadecimal-encoded AES key in the nifi.sensitive.props.key value. One or more new EncryptionMethod entries which combine reasonable default values for a KDF (Argon2, bcrypt, scrypt, PBKDF2) and AEAD mode of operation (AES-G/CM) would allow for simpler configuration and migration. The other option is to enhance the EncryptionMethod enum values with custom values in the NiFiProperties or StringEncryptor class which provide an additional level of security without modifying the EncryptionMethod enum directly, as the EncryptContent processor already allows independent configuration of a KDF and cipher algorithm (see ~~NIFI-7122~~ / PR 4228).

Attachments

Issue Links

relates to

NIFI-7668 Add configurable PBE AEAD algorithms to flow encryption

Resolved

NIFI-7669 Add flow protection key caching mechanism for derived keys

Resolved

NIFI-7670 Implement flow migration for PBE AEAD algorithms in Encrypt-Config toolkit

Resolved

links to

GitHub Pull Request #4427

Activity

People

Assignee:: Andy LoPresto

Reporter:: Andy LoPresto

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Jul/20 23:41

Updated:: 08/Apr/21 13:07

Resolved:: 25/Jul/20 01:13

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 50m