Encrypting sensitive properties in configuration files

Learn how to encrypt sensitive properties in the conf/bootstrap.conf file using the encrypt-config command line tool, invoked in the minifi-toolkit as ./bin/encrypt-config.sh or bin\encrypt-config.bat.

This tool reads plain text sensitive configuration values from the bootstrap.conf file and encrypts each value using a random encryption key. It replaces the plain values with the protected value in the same file or writes to a new bootstrap.conf file, if specified. Additionally, it can be used to encrypt unencrypted sensitive properties (if any) in the flow.json.raw file.

To enable this functionality, ensure that the nifi.minifi.sensitive.props.key and nifi.minifi.sensitive.props.algorithm properties are provided in bootstrap.conf.

The following example shows how the tool works with existing values in the bootstrap.conf file:

nifi.sensitive.props.key=thisIsABadSensitiveKeyPassword
nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.sensitive.props.additional.keys=

nifi.security.keystore=/path/to/keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=thisIsABadKeystorePassword
nifi.security.keyPasswd=thisIsABadKeyPassword
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
c2.security.truststore.location=
c2.security.truststore.password=thisIsABadTruststorePassword
c2.security.truststore.type=JKS
c2.security.keystore.location=
c2.security.keystore.password=thisIsABadKeystorePassword
c2.security.keystore.type=JKS

Enter the following arguments when using the tool:

encrypt-config.sh -b %MINIFI_HOME_DIR%/conf/bootstrap.conf

As a result, the bootstrap.conf file is overwritten with protected properties and sibling encryption identifiers (aes/gcm/256, the currently supported algorithm):

nifi.sensitive.props.key=4OjkrFywZb7BlGz4||Tm9pg0jV4TltvVKeiMlm9zBsqmtmYUA2QkzcLKQpspyggtQuhNAkAla5s2695A==
nifi.sensitive.props.key.protected=aes/gcm/256
nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256
nifi.sensitive.props.additional.keys=

nifi.security.keystore=/path/to/keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=iXDmDCadoNJ3VotZ||WvOGbrii4Gk0vr3b6mDstZg+NE0BPZUPk6LVqQlf2Sx3G5XFbUbUYAUz
nifi.security.keystorePasswd.protected=aes/gcm/256
nifi.security.keyPasswd=199uUUgpPqB4Fuoo||KckbW7iu+HZf1r4KSMQAFn8NLJK+CnUuayqPsTsdM0Wxou1BHg==
nifi.security.keyPasswd.protected=aes/gcm/256
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
c2.security.truststore.location=
c2.security.truststore.password=0pHpp+l/WHsDM/sm||fXBvDAQ1BXvNQ8b4EHKa1GspsLx+UD+2EDhph0HbsdmgpVhEv4qj0q5TDo0=
c2.security.truststore.password.protected=aes/gcm/256
c2.security.truststore.type=JKS
c2.security.keystore.location=
c2.security.keystore.password=j+80L7++RNDf9INQ||RX/QkdVFwRos6Y4XJ8YSUWoI3W5Wx50dyw7HrAA84719SvfxA9eUSDEA
c2.security.keystore.password.protected=aes/gcm/256
c2.security.keystore.type=JKS

Additionally, the bootstrap.conf file is updated with the encryption key as follows:

minifi.bootstrap.sensitive.key=c92623e798be949379d0d18f432a57f1b74732141be321cb4af9ed94aa0ae8ac

Sensitive configuration values are encrypted by the tool by default, but you can encrypt additional properties, if desired. To encrypt additional properties, specify them as comma-separated values in the minifi.sensitive.props.additional.keys property.

The following example shows how to encrypt non-encrypted sensitive properties in the flow.json.raw file using the tool.

nifi.sensitive.props.key=sensitivePropsKey
nifi.sensitive.props.algorithm=NIFI_PBKDF2_AES_GCM_256

Enter the following arguments when using the tool:

encrypt-config.sh -x -f %MINIFI_HOME_DIR%/conf/flow.json.raw

As a result, the flow.json.raw file is overwritten with encrypted sensitive properties.

The algorithm uses property descriptors in the flow.json.raw file to determine if a property is sensitive or not. If that information is missing, no properties will be encrypted, even if defined as sensitive in the agent manifest.