Allow Insecure Cryptographic Modes
By default, the
Allow Insecure Cryptographic Modes property in
EncryptContent processor settings is set to
not-allowed. This means that if a password of fewer than
10 characters is provided, a validation error will occur. 10 characters is a conservative estimate and does not take into consideration full entropy calculations, patterns, etc.
On a JVM with limited strength cryptography, some PBE algorithms limit the maximum password length to 7, and in this case it will not be possible to provide a "safe" password. It is recommended to install the JCE Unlimited Strength Jurisdiction Policy files for the JVM to mitigate this issue.
If on a system where the unlimited strength policies cannot be installed, it is recommended to switch to an algorithm that supports longer passwords (see table above).
Allowing Weak Crypto
If it is not possible to install the unlimited strength jurisdiction policies, the
Allow Weak Crypto setting can be changed to
but this is not recommended. Changing this setting explicitly acknowledges
the inherent risk in using weak cryptographic configurations.
It is preferable to request upstream/downstream systems to switch to https://cwiki.apache.org/confluence/display/NIFI/Encryption+Information or use a "strong" https://cwiki.apache.org/confluence/display/NIFI/Key+Derivation+Function+Explanations.