Apache NiFi Registry System Administrator's Guide
Also available as:

Encrypted Passwords in Configuration Files

In order to facilitate the secure setup of NiFi Registry, you can use the encrypt-config command line utility to encrypt raw configuration values that NiFi Registry decrypts in memory on startup. This extensible protection scheme transparently allows NiFi Registry to use raw values in operation, while protecting them at rest. In the future, hardware security modules (HSM) and external secure storage mechanisms will be integrated, but for now, an AES encryption provider is the default implementation.

If no administrator action is taken, the configuration values remain unencrypted.

The encrypt-config tool for NiFi Registry is implemented as an additional mode to the existing tool in the nifi-toolkit. The following sections assume you have downloaded the binary for the nifi-toolkit.