Administration
Also available as:
PDF
loading table of contents...

Password Key Derivation

Instead of providing a 32 or 64 character raw hexadecimal key, you can provide a password from which the key will be derived. As of 1.0.0, the password must be at least 12 characters, and the key will be derived using SCrypt with the parameters:

  • pw - the password bytes in UTF-8

  • salt - the fixed salt value (NIFI_SCRYPT_SALT) bytes in UTF-8

  • N - 216

  • r - 8

  • p - 1

  • dkLen - determined by the JCE policies available

As of August 2016, these values are determined to be strong for this threat model but may change in future versions.

While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value.