Encrypt sensitive configuration properties
You can prevent accidental exposure of passwords by encrypting sensitive configuration
properties in the
MiNiFi comes with a tool which can encrypt sensitive properties in the
minifi.properties file. It is called
encrypt-config.exe on Windows), and it exists in the
directory of the installation, next to the main
minifi.propertiesfile in your
/var/tmp/minifi-home/confMiNiFi configuration directory which contains the following sensitive properties:
minifi-properties ... nifi.security.client.pass.phrase=my_pass_phrase ... nifi.rest.api.user.name=admin nifi.rest.api.password=password123 ...
encrypt-configtool as shown in the following example:
$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home Generating a new encryption key... Wrote the new encryption key to /var/tmp/minifi-home/conf/bootstrap.conf Encrypted property: nifi.security.client.pass.phrase Encrypted property: nifi.rest.api.password Encrypted 2 sensitive properties in /var/tmp/minifi-home/conf/minifi.properties
- Generates a new encryption key.
- Creates a
bootstrap.conffile in your configuration directory, and write the encryption key to this file.
- Encrypts the sensitive properties using the new encryption key.
- Adds a
something.protectedencryption marker after each encrypted property.
minifi.propertiesfiles look like as shown in the following examples:
minifi.properties ... nifi.security.client.pass.phrase=STBmfU0uk5hgSYG5O3uJM3HeZjrYJz//||vE/V65QiMgSatzScaPYkraVrpWnBExVgVX/CwyXx nifi.security.client.pass.phrase.protected=xsalsa20poly1305 ... nifi.rest.api.user.name=admin nifi.rest.api.password=q8XNjJMoVABXz7sks5O6nhaTqqRay4gF||U3762djgMVguHI6GjRl+iCCDSkIdTFzKDCXi nifi.rest.api.password.protected=xsalsa20poly1305 ...
You should protect the
bootstrap.conf file to ensure that it is only readable
by the user which runs MiNiFi.
Additional sensitive properties
encrypt-configencrypts list of default sensitive properties. If you want more properties to be encrypted, you can add a
nifi.sensitive.props.additional.keyssetting with a comma-separated list of additional sensitive properties to your
minifi.propertiesfile. You must do this before running the
encrypt-configtool. The tool then encrypts these additional properties, as well. For example,
minifi.properties ... nifi.sensitive.props.additional.keys=nifi.rest.api.user.name,controller.socket.host,controller.socket.port ...
You can also do this after you have already encrypted some properties. In that case, the tool encrypts the additional properties using the existing encryption key, and leaves the other, already encrypted and sensitive, properties.
Modifying sensitive properties
- Replace the encrypted value with the new unencrypted value.
- Delete the
something.protected=...line which was added by the tool.
- Re-run the
The tool encrypts the modified property using the existing encryption key in the
bootstrap.conf file, and leaves the other, already encrypted and sensitive,
Generating new encryption key
- Remove the
nifi.bootstrap.sensitive.key=...line from the
If it does not contain anything else, you can delete the file.
- Replace all sensitive property values with their original and unencrypted values.
- Delete all the
- Re-run the
Remember to protect the new
bootstrap.conf file to ensure that it is only
readable by the user which runs MiNiFi.