Password Key Derivation
Instead of providing a 32 or 64 character raw hexadecimal key, you can provide a password from which the key will be derived. As of 1.0.0, the password must be at least 12 characters, and the key will be derived using
SCrypt with the parameters:
pw- the password bytes in
salt- the fixed salt value (
NIFI_SCRYPT_SALT) bytes in
dkLen- determined by the JCE policies available
As of August 2016, these values are determined to be strong for this threat model but may change in future versions.
While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value.