Secret Key Generation and Storage using Keytool

The KeyStoreKeyProvider supports reading from a java.security.KeyStore using a configured password to load AES Secret Key entries. The KeyStoreKeyProvider can be configured with any of the encrypted repository implementations.

The provider supports the following KeyStore Types:

• BCFKS

• PKCS12

The keystore filename extension must be either .p12 indicating PKCS12 or .bcfks indicating BCFKS.

The keytool command can be used to generate an AES-256 Secret Key stored in a PKCS12 file for repository encryption:

keytool -genseckey -alias primary-key -keyalg AES -keysize 256 -keystore repository.p12 -storetype PKCS12

The keytool command requires additional arguments specifying the BouncyCastle Security Provider to store Secret Keys using BCFKS. The arguments must include a reference to the BouncyCastle Security Provider library, which is available in the lib/bootstrap directory under the NiFi installation.

The following command can be used to generate an AES-256 Secret Key stored using BCFKS:

keytool -genseckey -alias primary-key -keyalg AES -keysize 256 -keystore repository.bcfks -storetype BCFKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath lib/bootstrap/bcprov-jdk15on-*.jar

Enter a keystore password when prompted. The same value must be used for both the keystore password and key password. The keystore password will be used in the provider configuration properties.