Using the Apache NiFi Toolkit
Also available as:

Encrypt-Config Tool

The encrypt-config command line tool (invoked as ./bin/ or bin\encrypt-config.bat) reads from a file with plaintext sensitive configuration values, prompts for a master password or raw hexadecimal key, and encrypts each value. It replaces the plain values with the protected value in the same file, or writes to a new file if specified.

The default encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are not installed, and 256-bit is used if they are installed.