Encrypt-Config Tool
The encrypt-config
command line tool (invoked as ./bin/encrypt-config.sh
or bin\encrypt-config.bat
) reads from a nifi.properties file with plaintext sensitive configuration values, prompts for a master password or raw hexadecimal key, and encrypts each value. It replaces the plain values with the protected value in the same file, or writes to a new nifi.properties file if specified.
The default encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are not installed, and 256-bit is used if they are installed.
You can use the following command line options with the encrypt-config
tool:
-
-h
,--help
Prints this usage message -
-v
,--verbose
Sets verbose mode (default false) -
-n
,--niFiProperties <arg>
The nifi.properties file containing unprotected config values (will be overwritten) -
-l
,--loginIdentityProviders <arg>
The login-identity-providers.xml file containing unprotected config values (will be overwritten) -
-a
,--authorizers <arg>
The authorizers.xml file containing unprotected config values (will be overwritten) -
-f
,--flowXml <arg>
The flow.xml.gz file currently protected with old password (will be overwritten) -
-b
,--bootstrapConf <arg>
The bootstrap.conf file to persist master key -
-o
,--outputNiFiProperties <arg>
The destination nifi.properties file containing protected config values (will not modify input nifi.properties) -
-i
,--outputLoginIdentityProviders <arg>
The destination login-identity-providers.xml file containing protected config values (will not modify input login-identity-providers.xml) -
-u
,--outputAuthorizers <arg>
The destination authorizers.xml file containing protected config values (will not modify input authorizers.xml) -
-g
,--outputFlowXml <arg>
The destination flow.xml.gz file containing protected config values (will not modify input flow.xml.gz) -
-k
,--key <arg>
The raw hexadecimal key to use to encrypt the sensitive properties -
-e
,--oldKey <arg>
The old raw hexadecimal key to use during key migration -
-p
,--password <arg>
The password from which to derive the key to use to encrypt the sensitive properties -
-w
,--oldPassword <arg>
The old password from which to derive the key during migration -
-r
,--useRawKey
If provided, the secure console will prompt for the raw key value in hexadecimal form -
-m
,--migrate
If provided, the nifi.properties and/or login-identity-providers.xml sensitive properties will be re-encrypted with a new key -
-x
,--encryptFlowXmlOnly
If provided, the properties in flow.xml.gz will be re-encrypted with a new key but the nifi.properties and/or login-identity-providers.xml files will not be modified -
-s
,--propsKey <arg>
The password or key to use to encrypt the sensitive processor properties in flow.xml.gz -
-A
,--newFlowAlgorithm <arg>
The algorithm to use to encrypt the sensitive processor properties in flow.xml.gz -
-P
,--newFlowProvider <arg>
The security provider to use to encrypt the sensitive processor properties in flow.xml.gz
As an example of how the tool works, assume that you have installed the tool on a machine supporting 256-bit encryption and with the following existing values in the nifi.properties file:
# security properties #
nifi.sensitive.props.key=thisIsABadSensitiveKeyPassword
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=
nifi.security.keystore=/path/to/keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=thisIsABadKeystorePassword
nifi.security.keyPasswd=thisIsABadKeyPassword
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
Enter the following arguments when using the tool:
encrypt-config.sh
-b bootstrap.conf
-k 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
-n nifi.properties
As a result, the nifi.properties file is overwritten with protected properties and sibling encryption identifiers (aes/gcm/256
, the currently supported algorithm):
# security properties #
nifi.sensitive.props.key=n2z+tTTbHuZ4V4V2||uWhdasyDXD4ZG2lMAes/vqh6u4vaz4xgL4aEbF4Y/dXevqk3ulRcOwf1vc4RDQ==
nifi.sensitive.props.key.protected=aes/gcm/256
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=
nifi.security.keystore=/path/to/keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=oBjT92hIGRElIGOh||MZ6uYuWNBrOA6usq/Jt3DaD2e4otNirZDytac/w/KFe0HOkrJR03vcbo
nifi.security.keystorePasswd.protected=aes/gcm/256
nifi.security.keyPasswd=ac/BaE35SL/esLiJ||+ULRvRLYdIDA2VqpE0eQXDEMjaLBMG2kbKOdOwBk/hGebDKlVg==
nifi.security.keyPasswd.protected=aes/gcm/256
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
Additionally, the bootstrap.conf file is updated with the encryption key as follows:
# Master key in hexadecimal format for encrypted sensitive configuration values
nifi.bootstrap.sensitive.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
Sensitive configuration values are encrypted by the tool by default, however you can encrypt any additional properties, if desired. To encrypt additional properties, specify them as comma-separated values in the nifi.sensitive.props.additional.keys
property.
If the nifi.properties file already has valid protected values, those property values are not modified by the tool.
When applied to login-identity-providers.xml and authorizers.xml, the property elements are updated with an encryption
attribute:
Example of protected login-identity-providers.xml:
<!-- LDAP Provider -->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.ldap.LdapProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN">someuser</property>
<property name="Manager Password" encryption="aes/gcm/128">q4r7WIgN0MaxdAKM||SGgdCTPGSFEcuH4RraMYEdeyVbOx93abdWTVSWvh1w+klA</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password" encryption="aes/gcm/128">Uah59TWX+Ru5GY5p||B44RT/LJtC08QWA5ehQf01JxIpf0qSJUzug25UwkF5a50g</property>
<property name="TLS - Keystore Type"></property>
...
</provider>
Example of protected authorizers.xml:
<!-- LDAP User Group Provider -->
<userGroupProvider>
<identifier>ldap-user-group-provider</identifier>
<class>org.apache.nifi.ldap.tenants.LdapUserGroupProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN">someuser</property>
<property name="Manager Password" encryption="aes/gcm/128">q4r7WIgN0MaxdAKM||SGgdCTPGSFEcuH4RraMYEdeyVbOx93abdWTVSWvh1w+klA</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password" encryption="aes/gcm/128">Uah59TWX+Ru5GY5p||B44RT/LJtC08QWA5ehQf01JxIpf0qSJUzug25UwkF5a50g</property>
<property name="TLS - Keystore Type"></property>
...
</userGroupProvider>
---