Encrypt-Config Tool
The encrypt-config
command line tool can be used to encrypt NiFi Registry configuration by invoking the tool with the following command:
./bin/encrypt-config --nifiRegistry [options]
You can use the following command line options with the encrypt-config
tool:
-
-h
,--help
Show usage information (this message) -
-v
,--verbose
Sets verbose mode (default false) -
-p
,--password <password>
Protect the files using a password-derived key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the password. -
-k
,--key <keyhex>
Protect the files using a raw hexadecimal key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the key. -
--oldPassword <password>
If the input files are already protected using a password-derived key, this specifies the old password so that the files can be unprotected before re-protecting. -
--oldKey <keyhex>
If the input files are already protected using a key, this specifies the raw hexadecimal key so that the files can be unprotected before re-protecting. -
-b
,--bootstrapConf <file>
The bootstrap.conf file containing no root key or an existing root key. If a new password or key is specified (using-p
or-k
) and no output bootstrap.conf file is specified, then this file will be overwritten to persist the new root key. -
-B
,--outputBootstrapConf <file>
The destination bootstrap.conf file to persist root key. If specified, the input bootstrap.conf will not be modified. -
-r
,--nifiRegistryProperties <file>
The nifi-registry.properties file containing unprotected config values, overwritten if no output file specified. -
-R
,--outputNifiRegistryProperties <file>
The destination nifi-registry.properties file containing protected config values. -
-a
,--authorizersXml <file>
The authorizers.xml file containing unprotected config values, overwritten if no output file specified. -
-A
,--outputAuthorizersXml <file>
The destination authorizers.xml file containing protected config values. -
-i
,--identityProvidersXml <file>
The identity-providers.xml file containing unprotected config values, overwritten if no output file specified. -
-I
,--outputIdentityProvidersXml <file>
The destination identity-providers.xml file containing protected config values. -
--decrypt
Can be used with-r
to decrypt a previously encrypted NiFi Registry Properties file. Decrypted content is printed to STDOUT.
As an example of how the tool works, assume that you have installed the tool on a machine supporting 256-bit encryption and with the following existing values in the nifi-registry.properties file:
# security properties #
nifi.registry.security.keystore=/path/to/keystore.jks
nifi.registry.security.keystoreType=JKS
nifi.registry.security.keystorePasswd=thisIsABadKeystorePassword
nifi.registry.security.keyPasswd=thisIsABadKeyPassword
nifi.registry.security.truststore=
nifi.registry.security.truststoreType=
nifi.registry.security.truststorePasswd=
Enter the following arguments when using the tool:
./bin/encrypt-config.sh --nifiRegistry \
-b bootstrap.conf \
-k 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 \
-r nifi-registry.properties
As a result, the nifi-registry.properties file is overwritten with protected properties and sibling encryption identifiers (aes/gcm/256
, the currently supported algorithm):
# security properties #
nifi.registry.security.keystore=/path/to/keystore.jks
nifi.registry.security.keystoreType=JKS
nifi.registry.security.keystorePasswd=oBjT92hIGRElIGOh||MZ6uYuWNBrOA6usq/Jt3DaD2e4otNirZDytac/w/KFe0HOkrJR03vcbo
nifi.registry.security.keystorePasswd.protected=aes/gcm/256
nifi.registry.security.keyPasswd=ac/BaE35SL/esLiJ||+ULRvRLYdIDA2VqpE0eQXDEMjaLBMG2kbKOdOwBk/hGebDKlVg==
nifi.registry.security.keyPasswd.protected=aes/gcm/256
nifi.registry.security.truststore=
nifi.registry.security.truststoreType=
nifi.registry.security.truststorePasswd=
When applied to identity-providers.xml or authorizers.xml, the property elements are updated with an encryption
attribute. For example:
<!-- LDAP Provider -->
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapProvider</class>
<property name="Authentication Strategy">START_TLS</property>
<property name="Manager DN">someuser</property>
<property name="Manager Password" encryption="aes/gcm/128">q4r7WIgN0MaxdAKM||SGgdCTPGSFEcuH4RraMYEdeyVbOx93abdWTVSWvh1w+klA</property>
<property name="TLS - Keystore">/path/to/keystore.jks</property>
<property name="TLS - Keystore Password" encryption="aes/gcm/128">Uah59TWX+Ru5GY5p||B44RT/LJtC08QWA5ehQf01JxIpf0qSJUzug25UwkF5a50g</property>
<property name="TLS - Keystore Type">JKS</property>
...
</provider>
Additionally, the bootstrap.conf file is updated with the encryption key as follows:
# Root key in hexadecimal format for encrypted sensitive configuration values
nifi.registry.bootstrap.sensitive.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
Sensitive configuration values are encrypted by the tool by default, however you can encrypt any additional properties, if desired. To encrypt additional properties, specify them as comma-separated values in the nifi.registry.sensitive.props.additional.keys
property.
If the nifi-registry.properties file already has valid protected values and you wish to protect additional values using the same root key already present in your bootstrap.conf, then run the tool without specifying a new key:
# bootstrap.conf already contains root key property
# nifi-registy.properties has been updated for nifi.registry.sensitive.props.additional.keys=...
./bin/encrypt-config.sh --nifiRegistry -b bootstrap.conf -r nifi-registry.properties