Encrypt sensitive data
You can prevent accidental exposure of passwords by encrypting sensitive configuration
properties in the minifi.properties
file. Learn how to encrypt sensitive
data.
MiNiFi comes with a tool called encrypt-config
(encrypt-config.exe
on Windows) which can be found in the
bin
directory of the installation, next to the main minifi
binary. It enables the encryption of sensitive configuration properties in the
minifi.properties
file along with the encryption of the flow configuration
(config.yml
by default).
The security of the encryption depends on the security of the bootstrap.conf
file, which contains the encryption key.
The terminologies used in this section are as follows:
- minifi home
The directory as specified to
encrypt-config
by the--minifi-home
option. - configuration directory
The
<minifi home>/conf
directory. - properties file
The
<minifi home>/conf/minifi.properties
file. - flow configuration
The file specified in the properties file with the key
nifi.flow.configuration.file
, or if not specified it defaults to<minifi home>/conf/config.yml
. - bootstrap file
The file
<minifi home>/conf/bootstrap.conf
. - sensitive property
All property in the properties file that we wish to encrypt.
Encryption of the configuration properties
minifi.properties
file in your MiNiFi configuration
directory /var/tmp/minifi-home/conf
containing the following sensitive
properties:minifi-properties
...
nifi.security.client.pass.phrase=my_pass_phrase
...
nifi.rest.api.user.name=admin
nifi.rest.api.password=password123
...
encrypt-config
tool as shown in the following
example:$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home
Generating a new encryption key...
Wrote the new encryption key to /var/tmp/minifi-home/conf/bootstrap.conf
Encrypted property: nifi.security.client.pass.phrase
Encrypted property: nifi.rest.api.password
Encrypted 2 sensitive properties in /var/tmp/minifi-home/conf/minifi.properties
- Generates a new encryption key.
- Creates a
bootstrap.conf
file in your configuration directory, and write the encryption key to this file. - Encrypts the sensitive properties using this encryption key.
- Adds a
something.protected
encryption marker after each encrypted property.
bootstrap.conf
and
minifi.properties
files look like as shown in the following
examples:bootstrap.conf
nifi.bootstrap.sensitive.key=77cd3f88ab997f7ae99b13c70877c5274c3b7b495f601f290042b14e7db4d542
minifi.properties
...
nifi.security.client.pass.phrase=STBmfU0uk5hgSYG5O3uJM3HeZjrYJz//||vE/V65QiMgSatzScaPYkraVrpWnBExVgVX/CwyXx
nifi.security.client.pass.phrase.protected=xsalsa20poly1305
...
nifi.rest.api.user.name=admin
nifi.rest.api.password=q8XNjJMoVABXz7sks5O6nhaTqqRay4gF||U3762djgMVguHI6GjRl+iCCDSkIdTFzKDCXi
nifi.rest.api.password.protected=xsalsa20poly1305
...
You should protect the bootstrap.conf
file to make sure it is only
readable by the user who runs MiNiFi.
Additional sensitive properties
encrypt-config
encrypts a (short) list of default sensitive
properties. If you want more properties to be encrypted, you can add a
nifi.sensitive.props.additional.keys
setting with a comma-separated list
of additional sensitive properties to your minifi.properties
file before
running the encrypt-config
tool. For
example,minifi.properties
...
nifi.sensitive.props.additional.keys=nifi.rest.api.user.name,controller.socket.host,controller.socket.port
...
The tool encrypts the additional properties. You can also do this after you have already encrypted some properties. In that case, the tool encrypts the additional properties using the existing encryption key and leaves the other, already encrypted, sensitive properties.
Modifying sensitive properties
- Replace the encrypted value with the new unencrypted value.
- Delete the
something.protected=...
line which was added by the tool. - Re-run the
encrypt-config
tool.
The tool encrypts the modified property using the existing encryption key in
bootstrap.conf
and leaves the other, already encrypted, sensitive
properties.
Encryption of the flow definition
Pass the flag --encrypt-flow-config
to encrypt-config
so
that it also encrypts the flow configuration file, not just the sensitive properties.
Updating the encryption key
- If the files are already encrypted, there should be a
nifi.bootstrap.sensitive.key=...
line in thebootstrap.conf
file (that is, have access to the original key), otherwise you have to manually replace all encrypted data (sensitive properties and flow configuration) with their original unencrypted values (or some other new value). - If present, rename the
nifi.bootstrap.sensitive.key=...
property inbootstrap.conf
tonifi.bootstrap.sensitive.key.old=...
(that is, add.old
suffix to the property name). - If you have a specific encryption key you would like to use, add it to the
bootstrap.conf
file (add the linenifi.bootstrap.sensitive.key=<your encryption key here>
). If you provide no encryption key (nonifi.bootstrap.sensitive.key
property inbootstrap.conf
, or nobootstrap.conf
at all), a new key is randomly generated and written tobootstrap.conf
. - Re-run the
encrypt-config
tool.
$ cat /var/tmp/minifi-home/conf/bootstrap.conf
nifi.bootstrap.sensitive.key.old=0728061a041edb09445ae4dbd95f11bd255bb0b467b8efb239e665aea5ace46b
nifi.bootstrap.sensitive.key=46af2c11a3f24c8c875ab4bee65e18a75f825fc3a4e03abdc8ce49d405b0b730
$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home
Old encryption key found in conf/bootstrap.conf
Using the existing encryption key found in conf/bootstrap.conf
Successfully decrypted property "nifi.security.client.pass.phrase" using old key.
Encrypted property: nifi.security.client.pass.phrase
Encrypted 1 sensitive property in conf/minifi.properties
WARNING: you did not request the flow config to be updated, if it is currently encrypted and the old key is removed, you won't be able to recover the flow config.
If you forgot to specify the --encrypt-flow-config
flag, you can re-run
encrypt-config
with the flag, and it re-encrypts the flow configuration
file, as well.
It is always safe to re-run encrypt-config
. If it does not find anything
new to encrypt, it does not do anything.
When you have successfully re-encrypted all sensitive properties and the flow configuration
file(s), you can delete the nifi.bootstrap.sensitive.key.old
line from the
bootstrap file.
Automatic encryption
Specify the property nifi.flow.configuration.encrypt=true
, in the
properties file to have the new flow configuration written to the disk encrypted after a
flow update (originating from a C2 server). It requires that you have a
conf/bootstrap.conf
in your minifi home, containing an encryption key
(nifi.bootstrap.sensitive.key
). This master key is also used on agent
startup to decrypt the flow configuration file.