Cloudera Docs

Encrypt sensitive configuration properties

You can prevent accidental exposure of passwords by encrypting sensitive configuration properties in the minifi.properties file.

MiNiFi comes with a tool which can encrypt sensitive properties in the minifi.properties file. It is called encrypt-config (encrypt-config.exe on Windows), and it exists in the bin directory of the installation, next to the main minifi binary.

The goal of the tool is to prevent accidental exposure of passwords.

Basic usage

If you have a minifi.properties file in your /var/tmp/minifi-home/conf MiNiFi configuration directory which contains the following sensitive properties:
minifi-properties
...
nifi.security.client.pass.phrase=my_pass_phrase
...
nifi.rest.api.user.name=admin
nifi.rest.api.password=password123
...
you can run the encrypt-config tool as shown in the following example:
$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home
 
Generating a new encryption key...
Wrote the new encryption key to /var/tmp/minifi-home/conf/bootstrap.conf
Encrypted property: nifi.security.client.pass.phrase
Encrypted property: nifi.rest.api.password
Encrypted 2 sensitive properties in /var/tmp/minifi-home/conf/minifi.properties
The tool performs the following actions:
  1. Generates a new encryption key.
  2. Creates a bootstrap.conf file in your configuration directory, and write the encryption key to this file.
  3. Encrypts the sensitive properties using the new encryption key.
  4. Adds a something.protected encryption marker after each encrypted property.
After running the tool, bootstrap.conf and minifi.properties files look like as shown in the following examples:
bootstrap.conf
nifi.bootstrap.sensitive.key=77cd3f88ab997f7ae99b13c70877c5274c3b7b495f601f290042b14e7db4d542
minifi.properties
...
nifi.security.client.pass.phrase=STBmfU0uk5hgSYG5O3uJM3HeZjrYJz//||vE/V65QiMgSatzScaPYkraVrpWnBExVgVX/CwyXx
nifi.security.client.pass.phrase.protected=xsalsa20poly1305
...
nifi.rest.api.user.name=admin
nifi.rest.api.password=q8XNjJMoVABXz7sks5O6nhaTqqRay4gF||U3762djgMVguHI6GjRl+iCCDSkIdTFzKDCXi
nifi.rest.api.password.protected=xsalsa20poly1305
...

You should protect the bootstrap.conf file to ensure that it is only readable by the user which runs MiNiFi.

Additional sensitive properties

By default, encrypt-config encrypts list of default sensitive properties. If you want more properties to be encrypted, you can add a nifi.sensitive.props.additional.keys setting with a comma-separated list of additional sensitive properties to your minifi.properties file. You must do this before running the encrypt-config tool. The tool then encrypts these additional properties, as well. For example,
minifi.properties
...
nifi.sensitive.props.additional.keys=nifi.rest.api.user.name,controller.socket.host,controller.socket.port
...

You can also do this after you have already encrypted some properties. In that case, the tool encrypts the additional properties using the existing encryption key, and leaves the other, already encrypted and sensitive, properties.

Modifying sensitive properties

You can modify the value of a sensitive property which was encrypted earlier.
  1. Replace the encrypted value with the new unencrypted value.
  2. Delete the something.protected=... line which was added by the tool.
  3. Re-run the encrypt-config tool.

The tool encrypts the modified property using the existing encryption key in the bootstrap.conf file, and leaves the other, already encrypted and sensitive, properties.

Generating new encryption key

You can generate a new encryption key.
  1. Remove the nifi.bootstrap.sensitive.key=... line from the bootstrap.conf file.

    If it does not contain anything else, you can delete the file.

  2. Replace all sensitive property values with their original and unencrypted values.
  3. Delete all the something.protected=... lines.
  4. Re-run the encrypt-config tool.

Remember to protect the new bootstrap.conf file to ensure that it is only readable by the user which runs MiNiFi.