Encrypt sensitive configuration properties
You can prevent accidental exposure of passwords by encrypting sensitive configuration
properties in the minifi.properties
file.
MiNiFi comes with a tool which can encrypt sensitive properties in the
minifi.properties
file. It is called encrypt-config
(encrypt-config.exe
on Windows), and it exists in the bin
directory of the installation, next to the main minifi
binary.
Basic usage
minifi.properties
file in your
/var/tmp/minifi-home/conf
MiNiFi configuration directory which contains the
following sensitive
properties:minifi-properties
...
nifi.security.client.pass.phrase=my_pass_phrase
...
nifi.rest.api.user.name=admin
nifi.rest.api.password=password123
...
encrypt-config
tool as shown in the following
example:$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home
Generating a new encryption key...
Wrote the new encryption key to /var/tmp/minifi-home/conf/bootstrap.conf
Encrypted property: nifi.security.client.pass.phrase
Encrypted property: nifi.rest.api.password
Encrypted 2 sensitive properties in /var/tmp/minifi-home/conf/minifi.properties
- Generates a new encryption key.
- Creates a
bootstrap.conf
file in your configuration directory, and write the encryption key to this file. - Encrypts the sensitive properties using the new encryption key.
- Adds a
something.protected
encryption marker after each encrypted property.
bootstrap.conf
and minifi.properties
files look like as shown in the following
examples:bootstrap.conf
nifi.bootstrap.sensitive.key=77cd3f88ab997f7ae99b13c70877c5274c3b7b495f601f290042b14e7db4d542
minifi.properties
...
nifi.security.client.pass.phrase=STBmfU0uk5hgSYG5O3uJM3HeZjrYJz//||vE/V65QiMgSatzScaPYkraVrpWnBExVgVX/CwyXx
nifi.security.client.pass.phrase.protected=xsalsa20poly1305
...
nifi.rest.api.user.name=admin
nifi.rest.api.password=q8XNjJMoVABXz7sks5O6nhaTqqRay4gF||U3762djgMVguHI6GjRl+iCCDSkIdTFzKDCXi
nifi.rest.api.password.protected=xsalsa20poly1305
...
You should protect the bootstrap.conf
file to ensure that it is only readable
by the user which runs MiNiFi.
Additional sensitive properties
encrypt-config
encrypts list of default sensitive properties. If
you want more properties to be encrypted, you can add a
nifi.sensitive.props.additional.keys
setting with a comma-separated list of
additional sensitive properties to your minifi.properties
file. You must do
this before running the encrypt-config
tool. The tool then encrypts these
additional properties, as well. For
example,minifi.properties
...
nifi.sensitive.props.additional.keys=nifi.rest.api.user.name,controller.socket.host,controller.socket.port
...
You can also do this after you have already encrypted some properties. In that case, the tool encrypts the additional properties using the existing encryption key, and leaves the other, already encrypted and sensitive, properties.
Modifying sensitive properties
- Replace the encrypted value with the new unencrypted value.
- Delete the
something.protected=...
line which was added by the tool. - Re-run the
encrypt-config
tool.
The tool encrypts the modified property using the existing encryption key in the
bootstrap.conf
file, and leaves the other, already encrypted and sensitive,
properties.
Generating new encryption key
- Remove the
nifi.bootstrap.sensitive.key=...
line from thebootstrap.conf
file.If it does not contain anything else, you can delete the file.
- Replace all sensitive property values with their original and unencrypted values.
- Delete all the
something.protected=...
lines. - Re-run the
encrypt-config
tool.
Remember to protect the new bootstrap.conf
file to ensure that it is only
readable by the user which runs MiNiFi.