Encrypt-Config Tool
The encrypt-config command line tool (invoked as ./bin/encrypt-config.sh or bin\encrypt-config.bat) reads from a nifi.properties file with plaintext sensitive configuration values, prompts for a master password or raw hexadecimal key, and encrypts each value. It replaces the plain values with the protected value in the same file, or writes to a new nifi.properties file if specified.
The default encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are not installed, and 256-bit is used if they are installed.
You can use the following command line options with the encrypt-config tool:
-A,--newFlowAlgorithm <arg>The algorithm to use to encrypt the sensitive processor properties in flow.xml.gz-b,--bootstrapConf <arg>The bootstrap.conf file to persist master key-e,--oldKey <arg>The old raw hexadecimal key to use during key migration-f,--flowXml <arg>The flow.xml.gz file currently protected with old password (will be overwritten)-g,--outputFlowXml <arg>The destination flow.xml.gz file containing protected config values (will not modify input flow.xml.gz)-h,--helpPrints this usage message-i,--outputLoginIdentityProviders <arg>The destination login-identity-providers.xml file containing protected config values (will not modify input login-identity-providers.xml)-k,--key <arg>The raw hexadecimal key to use to encrypt the sensitive properties-l,--loginIdentityProviders <arg>The login-identity-providers.xml file containing unprotected config values (will be overwritten)-m,--migrateIf provided, the nifi.properties and/or login-identity-providers.xml sensitive properties will be re-encrypted with a new key-n,--niFiProperties <arg>The nifi.properties file containing unprotected config values (will be overwritten)-o,--outputNiFiProperties <arg>The destination nifi.properties file containing protected config values (will not modify input nifi.properties)-p,--password <arg>The password from which to derive the key to use to encrypt the sensitive properties-P,--newFlowProvider <arg>The security provider to use to encrypt the sensitive processor properties in flow.xml.gz-r,--useRawKeyIf provided, the secure console will prompt for the raw key value in hexadecimal form-s,--propsKey <arg>The password or key to use to encrypt the sensitive processor properties in flow.xml.gz-v,--verboseSets verbose mode (default false)-w,--oldPassword <arg>The old password from which to derive the key during migration-x,--encryptFlowXmlOnlyIf provided, the properties in flow.xml.gz will be re-encrypted with a new key but the nifi.properties and/or login-identity-providers.xml files will not be modified
As an example of how the tool works, assume that you have installed the tool on a machine supporting 256-bit encryption and with the following existing values in the nifi.properties file:
# security properties # nifi.sensitive.props.key=thisIsABadSensitiveKeyPassword nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL nifi.sensitive.props.provider=BC nifi.sensitive.props.additional.keys= nifi.security.keystore=/path/to/keystore.jks nifi.security.keystoreType=JKS nifi.security.keystorePasswd=thisIsABadKeystorePassword nifi.security.keyPasswd=thisIsABadKeyPassword nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd=
Enter the following arguments when using the tool:
encrypt-config.sh -b bootstrap.conf -k 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 -n nifi.properties
As a result, the nifi.properties file is overwritten with protected properties and sibling encryption identifiers (aes/gcm/256, the currently supported algorithm):
# security properties # nifi.sensitive.props.key=n2z+tTTbHuZ4V4V2||uWhdasyDXD4ZG2lMAes/vqh6u4vaz4xgL4aEbF4Y/dXevqk3ulRcOwf1vc4RDQ== nifi.sensitive.props.key.protected=aes/gcm/256 nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL nifi.sensitive.props.provider=BC nifi.sensitive.props.additional.keys= nifi.security.keystore=/path/to/keystore.jks nifi.security.keystoreType=JKS nifi.security.keystorePasswd=oBjT92hIGRElIGOh||MZ6uYuWNBrOA6usq/Jt3DaD2e4otNirZDytac/w/KFe0HOkrJR03vcbo nifi.security.keystorePasswd.protected=aes/gcm/256 nifi.security.keyPasswd=ac/BaE35SL/esLiJ||+ULRvRLYdIDA2VqpE0eQXDEMjaLBMG2kbKOdOwBk/hGebDKlVg== nifi.security.keyPasswd.protected=aes/gcm/256 nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd=
Additionally, the bootstrap.conf file is updated with the encryption key as follows:
# Master key in hexadecimal format for encrypted sensitive configuration values nifi.bootstrap.sensitive.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
Sensitive configuration values are encrypted by the tool by default, however you can encrypt any additional properties, if desired. To encrypt additional properties, specify them as comma-separated values in the nifi.sensitive.props.additional.keys property.
If the nifi.properties file already has valid protected values, those property values are not modified by the tool.
When applied to login-identity-providers.xml, the property elements are updated with an encryption attribute:
<!-- LDAP Provider -->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN">someuser</property>
<property name="Manager Password" encryption="aes/gcm/128">q4r7WIgN0MaxdAKM||SGgdCTPGSFEcuH4RraMYEdeyVbOx93abdWTVSWvh1w+klA</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password" encryption="aes/gcm/128">Uah59TWX+Ru5GY5p||B44RT/LJtC08QWA5ehQf01JxIpf0qSJUzug25UwkF5a50g</property>
<property name="TLS - Keystore Type"></property>
...
</provider>