Salt and IV Encoding
EncryptContent processor had a single method of deriving
the encryption key from a user-provided password. This is now referred to as
NiFiLegacy mode, effectively
MD5 digest, 1000
iterations. In v0.4.0, another method of deriving the key,
PKCS#5 v1.5 EVP_BytesToKey was added for compatibility with content encrypted
outside of NiFi using the
openssl command-line tool. Both of these Key
(KDF) had hard-coded digest functions and iteration counts, and the salt format was also
hard-coded. With v0.5.0, additional KDFs are introduced with variable iteration counts,
work factors, and salt formats. In addition, raw keyed encryption was also
introduced. This required the capacity to encode arbitrary salts and Initialization Vectors
(IV) into the cipher stream in order to be recovered by NiFi or a follow-on system to
decrypt these messages.
For the existing KDFs, the salt format has not changed.