Key Provider Configuration

All encrypted repositories require a Key Provider to perform encryption and decryption operations. NiFi supports configuring the Key Provider implementation as well as the Key Identifier that will be used for new encryption operations. Key Provider implementations can hold multiple keys to support using a new key while maintaining access to information encrypted using the previous key.

Repository encryption supports access to secret keys using standard java.security.KeyStore files. See Secret Key Generation and Storage using Keytool for details on supported KeyStore types, as well as examples of generating secret keys.

The following configuration properties provide an example using a PKCS12 KeyStore file named repository.p12 containing a secret key labeled with an alias of primary-key:

nifi.repository.encryption.key.id=primary-key
nifi.repository.encryption.key.provider=KEYSTORE
nifi.repository.encryption.key.provider.keystore.location=conf/repository.p12
nifi.repository.encryption.key.provider.keystore.password=2fRKmwDyMYmT7P5L