Description:

Encrypts or Decrypts a FlowFile using either symmetric encryption with a password and randomly generated salt, or asymmetric encryption using a public and secret key.

Additional Details...

Tags:

encryption, decryption, password, JCE, OpenPGP, PGP, GPG

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property is considered "sensitive", meaning that its value will be encrypted. Before entering a value in a sensitive property, ensure that the nifi.properties file has an entry for the property nifi.sensitive.props.key.

NameDefault ValueAllowable ValuesDescription
ModeEncrypt
  • Encrypt
  • Decrypt
Specifies whether the content should be encrypted or decrypted
Key Derivation FunctionBCRYPT
  • NiFi Legacy KDF MD5 @ 1000 iterations
  • OpenSSL EVP_BytesToKey Single iteration MD5 compatible with PKCS#5 v1.5
  • Bcrypt Bcrypt with configurable work factor. See Admin Guide
  • Scrypt Scrypt with configurable cost parameters. See Admin Guide
  • PBKDF2 PBKDF2 with configurable hash function and iteration count. See Admin Guide
  • None The cipher is given a raw key conforming to the algorithm specifications
Specifies the key derivation function to generate the key from the password (and salt)
Encryption AlgorithmMD5_128AES
  • MD5_128AES org.apache.nifi.security.util.EncryptionMethod@61ffd148[Algorithm name=PBEWITHMD5AND128BITAES-CBC-OPENSSL,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • MD5_192AES EncryptionMethod[Algorithm name=PBEWITHMD5AND192BITAES-CBC-OPENSSL,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • MD5_256AES EncryptionMethod[Algorithm name=PBEWITHMD5AND256BITAES-CBC-OPENSSL,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • MD5_DES EncryptionMethod[Algorithm name=PBEWITHMD5ANDDES,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • MD5_RC2 EncryptionMethod[Algorithm name=PBEWITHMD5ANDRC2,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA1_RC2 EncryptionMethod[Algorithm name=PBEWITHSHA1ANDRC2,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA1_DES EncryptionMethod[Algorithm name=PBEWITHSHA1ANDDES,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_128AES EncryptionMethod[Algorithm name=PBEWITHSHAAND128BITAES-CBC-BC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_192AES EncryptionMethod[Algorithm name=PBEWITHSHAAND192BITAES-CBC-BC,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_256AES EncryptionMethod[Algorithm name=PBEWITHSHAAND256BITAES-CBC-BC,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_40RC2 EncryptionMethod[Algorithm name=PBEWITHSHAAND40BITRC2-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_128RC2 EncryptionMethod[Algorithm name=PBEWITHSHAAND128BITRC2-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_40RC4 EncryptionMethod[Algorithm name=PBEWITHSHAAND40BITRC4,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_128RC4 EncryptionMethod[Algorithm name=PBEWITHSHAAND128BITRC4,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA256_128AES EncryptionMethod[Algorithm name=PBEWITHSHA256AND128BITAES-CBC-BC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA256_192AES EncryptionMethod[Algorithm name=PBEWITHSHA256AND192BITAES-CBC-BC,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA256_256AES EncryptionMethod[Algorithm name=PBEWITHSHA256AND256BITAES-CBC-BC,Requires unlimited strength JCE policy=true,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_2KEYTRIPLEDES EncryptionMethod[Algorithm name=PBEWITHSHAAND2-KEYTRIPLEDES-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_3KEYTRIPLEDES EncryptionMethod[Algorithm name=PBEWITHSHAAND3-KEYTRIPLEDES-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • SHA_TWOFISH EncryptionMethod[Algorithm name=PBEWITHSHAANDTWOFISH-CBC,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • PGP EncryptionMethod[Algorithm name=PGP,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • PGP_ASCII_ARMOR EncryptionMethod[Algorithm name=PGP-ASCII-ARMOR,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=false,Keyed cipher=false]
  • AES_CBC EncryptionMethod[Algorithm name=AES/CBC/PKCS7Padding,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=true,Keyed cipher=true]
  • AES_CTR EncryptionMethod[Algorithm name=AES/CTR/NoPadding,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=true,Keyed cipher=true]
  • AES_GCM EncryptionMethod[Algorithm name=AES/GCM/NoPadding,Requires unlimited strength JCE policy=false,Algorithm Provider=BC,Compatible with strong KDFs=true,Keyed cipher=true]
The Encryption Algorithm to use
Allow insecure cryptographic modesnot-allowed
  • Allowed Operation will not be blocked and no alerts will be presented when unsafe combinations of encryption algorithms and passwords are provided
  • Not Allowed When set, operation will be blocked and alerts will be presented to the user if unsafe combinations of encryption algorithms and passwords are provided on a JVM with limited strength crypto. To fix this, see the Admin Guide.
Overrides the default behavior to prevent unsafe combinations of encryption algorithms and short passwords on JVMs with limited strength cryptographic jurisdiction policies
PasswordThe Password to use for encrypting or decrypting the data
Sensitive Property: true
Raw Key (hexadecimal)In keyed encryption, this is the raw key, encoded in hexadecimal
Sensitive Property: true
Public Keyring FileIn a PGP encrypt mode, this keyring contains the public key of the recipient
Public Key User IdIn a PGP encrypt mode, this user id of the recipient
Private Keyring FileIn a PGP decrypt mode, this keyring contains the private key of the recipient
Private Keyring PassphraseIn a PGP decrypt mode, this is the private keyring passphrase
Sensitive Property: true

Relationships:

NameDescription
successAny FlowFile that is successfully encrypted or decrypted will be routed to success
failureAny FlowFile that cannot be encrypted or decrypted will be routed to failure

Reads Attributes:

None specified.

Writes Attributes:

None specified.

State management:

This processor has no state management.

Restricted: