NiFi System Properties
Also available as:

Encrypted Write Ahead FlowFile Repository Properties

All of the properties defined above (see Write Ahead FlowFile Repository) still apply. Only encryption-specific properties are listed here. See Encrypted FlowFile Repository in the User Guide for more information.

Unlike the encrypted content and provenance repositories, the repository implementation does not change here, only the underlying write-ahead log implementation. This allows for cleaner separation and more flexibility in implementation selection. The property that should be changed to enable encryption is nifi.flowfile.repository.wal.implementation.




This is the fully-qualified class name of the key provider. A key provider is the datastore interface for accessing the encryption key to protect the content claims. There are currently two implementations - StaticKeyProvider which reads a key directly from, and FileBasedKeyProvider which reads n many keys from an encrypted file. The interface is extensible, and HSM-backed or other providers are expected in the future.


The path to the key definition resource (empty for StaticKeyProvider, ./keys.nkp or similar path for FileBasedKeyProvider). For future providers like an HSM, this may be a connection string or URL.

The active key ID to use for encryption (e.g. Key1).


The key to use for StaticKeyProvider. The key format is hex-encoded (0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210) but can also be encrypted using the ./ tool in NiFi Toolkit (see the Encrypt-Config Tool section in the NiFi Toolkit Guide for more information).*

Allows for additional keys to be specified for the StaticKeyProvider. For example, the line…​210 would provide an available key Key2.

The simplest configuration is below: