Encrypts or Decrypts a FlowFile using either symmetric encryption with a password and randomly generated salt, or asymmetric encryption using a public and secret key.


encryption, decryption, password, JCE, OpenPGP, PGP, GPG


In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property is considered “sensitive”, meaning that its value will be encrypted. Before entering a value in a sensitive property, ensure that the file has an entry for the property nifi.sensitive.props.key.

Name Default Value Allowable Values Description
Mode Encrypt * Encrypt
* Decrypt
Specifies whether the content should be encrypted or decrypted
Key Derivation Function BCRYPT * NiFi Legacy KDF 
*OpenSSL EVP_BytesToKey 
* Bcrypt
* Scrypt
* None 
Specifies the key derivation function to generate the key from the password (and salt)
Encryption Algorithm MD5_128AES * MD5_128AES
* MD5_192AES
* MD5_256AES
* MD5_RC2
* SHA1_RC2
* SHA_128AES
* SHA_192AES
* SHA_256AES
* SHA_40RC2
* SHA_128RC2
* SHA_40RC4
* SHA_128RC4
* SHA256_128AES
* SHA256_192AES
The Encryption Algorithm to use
Allow insecure cryptographic modes not-allowed * Allowed
*Not Allowed
Overrides the default behavior to prevent unsafe combinations of encryption algorithms and short passwords on JVMs with limited strength cryptographic jurisdiction policies
Password The Password to use for encrypting or decrypting the data
Sensitive Property: true
Raw Key (hexadecimal) In keyed encryption, this is the raw key, encoded in hexadecimal
Sensitive Property: true
Public Keyring File In a PGP encrypt mode, this keyring contains the public key of the recipient
Public Key User Id In a PGP encrypt mode, this user id of the recipient
Private Keyring File In a PGP decrypt mode, this keyring contains the private key of the recipient
Private Keyring Passphrase In a PGP decrypt mode, this is the private keyring passphrase
Sensitive Property: true


Name Description
failure Any FlowFile that cannot be encrypted or decrypted will be routed to failure
success Any FlowFile that is successfully encrypted or decrypted will be routed to success

Reads Attributes:

None specified.

Writes Attributes:

None specified


This processor supports OpenPGP algorithms that are compatible with third party programs. However, it currently cannot add a digital signature to an encrypted FlowFile.