Repository Encryption

NiFi supports encryption of local repositories using a configurable Key Provider to enable protection of information on the filesystem. Repository encryption configuration uses a version number to indicate the cipher algorithms, metadata format, and repository implementation classes. This approach provides a generalized method for configuration without the need to customize each repository implementation class.

Repository encryption incurs a performance cost due to the overhead of cipher operations. Filesystem encryption at the operating system level provides an alternative solution, with different performance characteristics. For deployments where filesystem encryption is not configured, repository encryption provides an enhanced level of data protection. Due to increased performance requirements, more computing resources may be necessary to achieve sufficient throughput when enabling repository encryption.

The security of repository encryption depends on a combination of the cipher algorithms and the protection of encryption keys. Key protection and key rotation are important parts of securing an encrypted repository configuration. Key protection involves limiting access to the Key Provider and key rotation requires manual updates to generate and specify a new encryption key.