AESWrapEncryption significantly improves on the security of the older JCEEncryption scheme, and uses only FIPS-compatible algorithms (PBKDF2 and AES-KW). However, the password-based key derivation is significantly more expensive by default, in line with NIST recommendations. This can cause significant startup delays if there are large numbers of agents in the system as all the passwords have to be decrypted, and the large cost is paid for every password.
If a strong password is chosen (as it is by default) then these requirements can be relaxed and we allow much lower iteration counts to be used - even a single iteration is secure if the password is strong. However, some customers are unable to reduce the iteration count due to local security policies.
An alternative algorithm has been designed that significantly reduces the cost of AESWrapEncryption even when high iteration counts are used. This new design can be implemented in a backwards compatible way so that existing encrypted data can still be decrypted (with the same high performance cost) but newly-encrypted values will use the more efficient scheme. This will allow new installations to more easily adopt the more secure encryption scheme and provide an incremental migration path for existing users.