Salt and IV Encoding
EncryptContent processor had a single method of deriving
the encryption key from a user-provided password. This is now referred to as
NiFiLegacy mode, effectively
MD5 digest, 1000
iterations. In v0.4.0, another method of deriving the key,
PKCS#5 v1.5 EVP_BytesToKey was added for compatibility with content encrypted
outside of NiFi using the
openssl command-line tool. Both of these key
derivation functions (KDF) had hard-coded digest functions and iteration counts, and the
salt format was also hard-coded. With v0.5.0, additional KDFs are introduced with variable
iteration counts, work factors, and salt formats. In addition, raw keyed encryption
was also introduced. This required the capacity to encode arbitrary salts and
Initialization Vectors (IV) into the cipher stream in order to be recovered by NiFi or a
follow-on system to decrypt these messages.
For the existing KDFs, the salt format has not changed.