Password Key Derivation
Instead of providing a 32 or 64 character raw hexadecimal key, you can provide a
password from which the key will be derived. As of 1.0.0, the password must be at least 12
characters, and the key will be derived using SCrypt with the
parameters:
pw- the password bytes inUTF-8salt- the fixed salt value (NIFI_SCRYPT_SALT) bytes inUTF-8N- 216r- 8p- 1dkLen- determined by the JCE policies available
As of August 2016, these values are determined to be strong for this threat model but may change in future versions.
|
While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value. |