Encrypt sensitive data

You can prevent accidental exposure of passwords by encrypting sensitive configuration properties in the minifi.properties file. Learn how to encrypt sensitive data.

MiNiFi comes with a tool called encrypt-config (encrypt-config.exe on Windows) which can be found in the bin directory of the installation, next to the main minifi binary. It enables the encryption of sensitive configuration properties in the minifi.properties file along with the encryption of the flow configuration (config.yml by default).

The security of the encryption depends on the security of the bootstrap.conf file, which contains the encryption key.

The terminologies used in this section are as follows:

  • minifi home

    The directory as specified to encrypt-config by the --minifi-home option.

  • configuration directory

    The <minifi home>/conf directory.

  • properties file

    The <minifi home>/conf/minifi.properties file.

  • flow configuration

    The file specified in the properties file with the key nifi.flow.configuration.file, or if not specified it defaults to <minifi home>/conf/config.yml.

  • bootstrap file

    The file <minifi home>/conf/bootstrap.conf.

  • sensitive property

    All property in the properties file that we wish to encrypt.

Encryption of the configuration properties

If you have a minifi.properties file in your MiNiFi configuration directory /var/tmp/minifi-home/conf containing the following sensitive properties:
minifi-properties
...
nifi.security.client.pass.phrase=my_pass_phrase
...
nifi.rest.api.user.name=admin
nifi.rest.api.password=password123
...
you can run the encrypt-config tool as shown in the following example:
$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home
 
Generating a new encryption key...
Wrote the new encryption key to /var/tmp/minifi-home/conf/bootstrap.conf
Encrypted property: nifi.security.client.pass.phrase
Encrypted property: nifi.rest.api.password
Encrypted 2 sensitive properties in /var/tmp/minifi-home/conf/minifi.properties
The tool performs the following actions:
  1. Generates a new encryption key.
  2. Creates a bootstrap.conf file in your configuration directory, and write the encryption key to this file.
  3. Encrypts the sensitive properties using this encryption key.
  4. Adds a something.protected encryption marker after each encrypted property.
After running the tool, the bootstrap.conf and minifi.properties files look like as shown in the following examples:
bootstrap.conf
nifi.bootstrap.sensitive.key=77cd3f88ab997f7ae99b13c70877c5274c3b7b495f601f290042b14e7db4d542
minifi.properties
...
nifi.security.client.pass.phrase=STBmfU0uk5hgSYG5O3uJM3HeZjrYJz//||vE/V65QiMgSatzScaPYkraVrpWnBExVgVX/CwyXx
nifi.security.client.pass.phrase.protected=xsalsa20poly1305
...
nifi.rest.api.user.name=admin
nifi.rest.api.password=q8XNjJMoVABXz7sks5O6nhaTqqRay4gF||U3762djgMVguHI6GjRl+iCCDSkIdTFzKDCXi
nifi.rest.api.password.protected=xsalsa20poly1305
...

You should protect the bootstrap.conf file to make sure it is only readable by the user who runs MiNiFi.

Additional sensitive properties

By default, encrypt-config encrypts a (short) list of default sensitive properties. If you want more properties to be encrypted, you can add a nifi.sensitive.props.additional.keys setting with a comma-separated list of additional sensitive properties to your minifi.properties file before running the encrypt-config tool. For example,
minifi.properties
...
nifi.sensitive.props.additional.keys=nifi.rest.api.user.name,controller.socket.host,controller.socket.port
...

The tool encrypts the additional properties. You can also do this after you have already encrypted some properties. In that case, the tool encrypts the additional properties using the existing encryption key and leaves the other, already encrypted, sensitive properties.

Modifying sensitive properties

If you later need to modify the value of a sensitive property which was encrypted earlier, perform the following steps:
  1. Replace the encrypted value with the new unencrypted value.
  2. Delete the something.protected=... line which was added by the tool.
  3. Re-run the encrypt-config tool.

The tool encrypts the modified property using the existing encryption key in bootstrap.conf and leaves the other, already encrypted, sensitive properties.

Encryption of the flow definition

Pass the flag --encrypt-flow-config to encrypt-config so that it also encrypts the flow configuration file, not just the sensitive properties.

Updating the encryption key

If you want to change the encryption key, perform the following steps:
  1. If the files are already encrypted, there should be a nifi.bootstrap.sensitive.key=... line in the bootstrap.conf file (that is, have access to the original key), otherwise you have to manually replace all encrypted data (sensitive properties and flow configuration) with their original unencrypted values (or some other new value).
  2. If present, rename the nifi.bootstrap.sensitive.key=... property in bootstrap.conf to nifi.bootstrap.sensitive.key.old=... (that is, add .old suffix to the property name).
  3. If you have a specific encryption key you would like to use, add it to the bootstrap.conf file (add the line nifi.bootstrap.sensitive.key=<your encryption key here>). If you provide no encryption key (no nifi.bootstrap.sensitive.key property in bootstrap.conf, or no bootstrap.conf at all), a new key is randomly generated and written to bootstrap.conf.
  4. Re-run the encrypt-config tool.
Take special care when changing the encryption key and the flow configuration is encrypted, so that you also re-encrypt it before deleting the old key (you get a warning if you do not request its re-encryption).
$ cat /var/tmp/minifi-home/conf/bootstrap.conf
 
nifi.bootstrap.sensitive.key.old=0728061a041edb09445ae4dbd95f11bd255bb0b467b8efb239e665aea5ace46b
nifi.bootstrap.sensitive.key=46af2c11a3f24c8c875ab4bee65e18a75f825fc3a4e03abdc8ce49d405b0b730
 
$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home
 
Old encryption key found in conf/bootstrap.conf
Using the existing encryption key found in conf/bootstrap.conf
Successfully decrypted property "nifi.security.client.pass.phrase" using old key.
Encrypted property: nifi.security.client.pass.phrase
Encrypted 1 sensitive property in conf/minifi.properties
WARNING: you did not request the flow config to be updated, if it is currently encrypted and the old key is removed, you won't be able to recover the flow config.

If you forgot to specify the --encrypt-flow-config flag, you can re-run encrypt-config with the flag, and it re-encrypts the flow configuration file, as well.

It is always safe to re-run encrypt-config. If it does not find anything new to encrypt, it does not do anything.

When you have successfully re-encrypted all sensitive properties and the flow configuration file(s), you can delete the nifi.bootstrap.sensitive.key.old line from the bootstrap file.

Automatic encryption

Specify the property nifi.flow.configuration.encrypt=true, in the properties file to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key). This master key is also used on agent startup to decrypt the flow configuration file.