Using Apache NiFiPDF version

Secret Key Generation and Storage using Keytool

The KeyStoreKeyProvider supports reading from a java.security.KeyStore using a configured password to load AES Secret Key entries. The KeyStoreKeyProvider can be configured with any of the encrypted repository implementations.

The provider supports the following KeyStore Types:

  • BCFKS

  • PKCS12

The keystore filename extension must be either .p12 indicating PKCS12 or .bcfks indicating BCFKS.

The keytool command can be used to generate an AES-256 Secret Key stored in a PKCS12 file for repository encryption:

keytool -genseckey -alias primary-key -keyalg AES -keysize 256 -keystore repository.p12 -storetype PKCS12

The keytool command requires additional arguments specifying the BouncyCastle Security Provider to store Secret Keys using BCFKS. The arguments must include a reference to the BouncyCastle Security Provider library, which is available in the lib/bootstrap directory under the NiFi installation.

The following command can be used to generate an AES-256 Secret Key stored using BCFKS:

keytool -genseckey -alias primary-key -keyalg AES -keysize 256 -keystore repository.bcfks -storetype BCFKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath lib/bootstrap/bcprov-jdk15on-*.jar

Enter a keystore password when prompted. The same value must be used for both the keystore password and key password. The keystore password will be used in the provider configuration properties.

We want your opinion

How can we improve this page?

What kind of feedback do you have?