Apache NiFi Security
Also available as:
PDF

Password Key Derivation

Instead of providing a 32 or 64 character raw hexadecimal key, you can provide a password from which the key will be derived. As of 1.0.0, the password must be at least 12 characters, and the key will be derived using SCrypt with the parameters:

  • pw - the password bytes in UTF-8

  • salt - the fixed salt value (NIFI_SCRYPT_SALT) bytes in UTF-8

  • N - 216

  • r - 8

  • p - 1

  • dkLen - determined by the JCE policies available

As of August 2016, these values are determined to be strong for this threat model but may change in future versions.

Note
Note
While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value.