Writing and Reading Content Claims
Once the repository is initialized, all content claim write operations are serialized using
RepositoryObjectStreamEncryptor (the only currently existing implementation is
RepositoryObjectAESCTREncryptor) to an
OutputStream. The actual implementation is
EncryptedContentRepositoryOutputStream, which encrypts the data written by the component via
StandardProcessSession inline and the encryption metadata (
IV) is serialized and prepended. The complete
OutputStream is then written to the repository on disk as normal.
On content claim read, the process is reversed. The encryption metadata (
RepositoryObjectEncryptionMetadata) is parsed and used to decrypt the serialized bytes, which are then deserialized into a
CipherInputStream object. The delegation to the normal repository file system interaction allows for "random-access" (i.e. immediate seek without decryption of unnecessary content claims).
Within the NiFi UI/API, there is no detectable difference between an encrypted and unencrypted content repository. The Provenance Query operations to view content work as expected with no change to the process.