Encrypt-Config Tool
The encrypt-config
command line tool (invoked as
./bin/encrypt-config.sh
or bin\encrypt-config.bat
)
reads from a 'nifi.properties' file with plaintext sensitive configuration
values, prompts for a master password or raw hexadecimal key, and encrypts each value. It
replaces the plain values with the protected value in the same file, or writes to a new
'nifi.properties' file if specified.
The default encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are not installed, and 256-bit is used if they are installed.
You can use the following command line options with the
encrypt-config
tool:
-h
,--help
Prints this usage message-v
,--verbose
Sets verbose mode (default false)-n
,--niFiProperties <arg>
The nifi.properties file containing unprotected config values (will be overwritten)-l
,--loginIdentityProviders <arg>
The login-identity-providers.xml file containing unprotected config values (will be overwritten)-a
,--authorizers <arg>
The authorizers.xml file containing unprotected config values (will be overwritten)-f
,--flowXml <arg>
The flow.xml.gz file currently protected with old password (will be overwritten)-b
,--bootstrapConf <arg>
The bootstrap.conf file to persist master key-o
,--outputNiFiProperties <arg>
The destination nifi.properties file containing protected config values (will not modify input nifi.properties)-i
,--outputLoginIdentityProviders <arg>
The destination login-identity-providers.xml file containing protected config values (will not modify input login-identity-providers.xml)-u
,--outputAuthorizers <arg>
The destination authorizers.xml file containing protected config values (will not modify input authorizers.xml)-g
,--outputFlowXml <arg>
The destination flow.xml.gz file containing protected config values (will not modify input flow.xml.gz)-k
,--key <arg>
The raw hexadecimal key to use to encrypt the sensitive properties-e
,--oldKey <arg>
The old raw hexadecimal key to use during key migration-p
,--password <arg>
The password from which to derive the key to use to encrypt the sensitive properties-w
,--oldPassword <arg>
The old password from which to derive the key during migration-r
,--useRawKey
If provided, the secure console will prompt for the raw key value in hexadecimal form-m
,--migrate
If provided, the nifi.properties and/or login-identity-providers.xml sensitive properties will be re-encrypted with a new key-x
,--encryptFlowXmlOnly
If provided, the properties in flow.xml.gz will be re-encrypted with a new key but the nifi.properties and/or login-identity-providers.xml files will not be modified-s
,--propsKey <arg>
The password or key to use to encrypt the sensitive processor properties in flow.xml.gz-A
,--newFlowAlgorithm <arg>
The algorithm to use to encrypt the sensitive processor properties in flow.xml.gz-P
,--newFlowProvider <arg>
The security provider to use to encrypt the sensitive processor properties in flow.xml.gz
As an example of how the tool works, assume that you have installed the tool on a machine supporting 256-bit encryption and with the following existing values in the 'nifi.properties' file:
# security properties # nifi.sensitive.props.key=thisIsABadSensitiveKeyPassword nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL nifi.sensitive.props.provider=BC nifi.sensitive.props.additional.keys= nifi.security.keystore=/path/to/keystore.jks nifi.security.keystoreType=JKS nifi.security.keystorePasswd=thisIsABadKeystorePassword nifi.security.keyPasswd=thisIsABadKeyPassword nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd=
Enter the following arguments when using the tool:
encrypt-config.sh -b bootstrap.conf -k 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 -n nifi.properties
As a result, the 'nifi.properties' file is overwritten with protected
properties and sibling encryption identifiers (aes/gcm/256
, the
currently supported algorithm):
# security properties # nifi.sensitive.props.key=n2z+tTTbHuZ4V4V2||uWhdasyDXD4ZG2lMAes/vqh6u4vaz4xgL4aEbF4Y/dXevqk3ulRcOwf1vc4RDQ== nifi.sensitive.props.key.protected=aes/gcm/256 nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL nifi.sensitive.props.provider=BC nifi.sensitive.props.additional.keys= nifi.security.keystore=/path/to/keystore.jks nifi.security.keystoreType=JKS nifi.security.keystorePasswd=oBjT92hIGRElIGOh||MZ6uYuWNBrOA6usq/Jt3DaD2e4otNirZDytac/w/KFe0HOkrJR03vcbo nifi.security.keystorePasswd.protected=aes/gcm/256 nifi.security.keyPasswd=ac/BaE35SL/esLiJ||+ULRvRLYdIDA2VqpE0eQXDEMjaLBMG2kbKOdOwBk/hGebDKlVg== nifi.security.keyPasswd.protected=aes/gcm/256 nifi.security.truststore= nifi.security.truststoreType= nifi.security.truststorePasswd=
Additionally, the 'bootstrap.conf' file is updated with the encryption key as follows:
# Master key in hexadecimal format for encrypted sensitive configuration values nifi.bootstrap.sensitive.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
Sensitive configuration values are encrypted by the tool by default, however you can
encrypt any additional properties, if desired. To encrypt additional properties, specify
them as comma-separated values in the
nifi.sensitive.props.additional.keys
property.
If the 'nifi.properties' file already has valid protected values, those property values are not modified by the tool.
When applied to 'login-identity-providers.xml' and
'authorizers.xml', the property elements are updated with an
encryption
attribute:
Example of protected login-identity-providers.xml:
<!-- LDAP Provider --> <provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.ldap.LdapProvider</class> <property name="Authentication Strategy">START_TLS</property> <property name="Manager DN">someuser</property> <property name="Manager Password" encryption="aes/gcm/128">q4r7WIgN0MaxdAKM||SGgdCTPGSFEcuH4RraMYEdeyVbOx93abdWTVSWvh1w+klA</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password" encryption="aes/gcm/128">Uah59TWX+Ru5GY5p||B44RT/LJtC08QWA5ehQf01JxIpf0qSJUzug25UwkF5a50g</property> <property name="TLS - Keystore Type"></property> ... </provider>
Example of protected authorizers.xml:
<!-- LDAP User Group Provider --> <userGroupProvider> <identifier>ldap-user-group-provider</identifier> <class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class> <property name="Authentication Strategy">START_TLS</property> <property name="Manager DN">someuser</property> <property name="Manager Password" encryption="aes/gcm/128">q4r7WIgN0MaxdAKM||SGgdCTPGSFEcuH4RraMYEdeyVbOx93abdWTVSWvh1w+klA</property> <property name="TLS - Keystore"></property> <property name="TLS - Keystore Password" encryption="aes/gcm/128">Uah59TWX+Ru5GY5p||B44RT/LJtC08QWA5ehQf01JxIpf0qSJUzug25UwkF5a50g</property> <property name="TLS - Keystore Type"></property> ... </userGroupProvider> ---