Encrypt-Config Tool
The encrypt-config command line tool can be used to encrypt NiFi
Registry configuration by invoking the tool with the following command:
./bin/encrypt-config nifi-registry [options]
-h,--helpShow usage information (this message)-v,--verboseEnables verbose mode (off by default)-p,--password <password>Protect the files using a password-derived key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the password.-k,--key <keyhex>Protect the files using a raw hexadecimal key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the key.--oldPassword <password>If the input files are already protected using a password-derived key, this specifies the old password so that the files can be unprotected before re-protecting.--oldKey <keyhex>If the input files are already protected using a key, this specifies the raw hexadecimal key so that the files can be unprotected before re-protecting.-b,--bootstrapConf <file>The bootstrap.conf file containing no master key or an existing master key. If a new password/key is specified and no output bootstrap.conf file is specified, then this file will be overwritten to persist the new master key.-B,--outputBootstrapConf <file>The destination bootstrap.conf file to persist master key. If specified, the input bootstrap.conf will not be modified.-r,--nifiRegistryProperties <file>The nifi-registry.properties file containing unprotected config values, overwritten if no output file specified.-R,--outputNifiRegistryProperties <file>The destination nifi-registry.properties file containing protected config values.-a,--authorizersXml <file>The authorizers.xml file containing unprotected config values, overwritten if no output file specified.-A,--outputAuthorizersXml <file>The destination authorizers.xml file containing protected config values.-i,--identityProvidersXml <file>The identity-providers.xml file containing unprotected config values, overwritten if no output file specified.-I,--outputIdentityProvidersXml <file>The destination identity-providers.xml file containing protected config values.
As an example of how the tool works, assuming that you have installed the tool on a machine supporting 256-bit encryption and with the following existing values in the nifi-registry.properties file:
# security properties # nifi.registry.security.keystore=/path/to/keystore.jks nifi.registry.security.keystoreType=JKS nifi.registry.security.keystorePasswd=thisIsABadKeystorePassword nifi.registry.security.keyPasswd=thisIsABadKeyPassword nifi.registry.security.truststore= nifi.registry.security.truststoreType= nifi.registry.security.truststorePasswd=
Enter the following arguments when using the tool:
./bin/encrypt-config.sh nifi-registry \ -b bootstrap.conf \ -k 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 \ -r nifi-registry.properties
As a result, the nifi-registry.properties file is overwritten
with protected properties and sibling encryption identifiers
(aes/gcm/256, the currently supported algorithm):
# security properties # nifi.registry.security.keystore=/path/to/keystore.jks nifi.registry.security.keystoreType=JKS nifi.registry.security.keystorePasswd=oBjT92hIGRElIGOh||MZ6uYuWNBrOA6usq/Jt3DaD2e4otNirZDytac/w/KFe0HOkrJR03vcbo nifi.registry.security.keystorePasswd.protected=aes/gcm/256 nifi.registry.security.keyPasswd=ac/BaE35SL/esLiJ||+ULRvRLYdIDA2VqpE0eQXDEMjaLBMG2kbKOdOwBk/hGebDKlVg== nifi.registry.security.keyPasswd.protected=aes/gcm/256 nifi.registry.security.truststore= nifi.registry.security.truststoreType= nifi.registry.security.truststorePasswd=
When applied to identity-providers.xml or
authorizers.xml, the property elements are updated with an
encryption attribute. For example:
<!-- LDAP Provider --> <provider> <identifier>ldap-provider</identifier> <class>org.apache.nifi.registry.security.ldap.LdapProvider</class> <property name="Authentication Strategy">START_TLS</property> <property name="Manager DN">someuser</property> <property name="Manager Password" encryption="aes/gcm/128">q4r7WIgN0MaxdAKM||SGgdCTPGSFEcuH4RraMYEdeyVbOx93abdWTVSWvh1w+klA</property> <property name="TLS - Keystore">/path/to/keystore.jks</property> <property name="TLS - Keystore Password" encryption="aes/gcm/128">Uah59TWX+Ru5GY5p||B44RT/LJtC08QWA5ehQf01JxIpf0qSJUzug25UwkF5a50g</property> <property name="TLS - Keystore Type">JKS</property> ... </provider>
Additionally, the bootstrap.conf file is updated with the encryption key as follows:
# Master key in hexadecimal format for encrypted sensitive configuration values nifi.registry.bootstrap.sensitive.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
Sensitive configuration values are encrypted by the tool by default, however you can
encrypt any additional properties, if desired. To encrypt additional properties, specify
them as comma-separated values in the
nifi.registry.sensitive.props.additional.keys property.
If the nifi-registry.properties file already has valid protected values and you wish to protect additional values using the same master key already present in your bootstrap.conf, then run the tool without specifying a new key:
# bootstrap.conf already contains master key property # nifi-registy.properties has been updated for nifi.registry.sensitive.props.additional.keys=... ./bin/encrypt-config.sh nifi-registry -b bootstrap.conf -r nifi-registry.properties