FileBasedKeyProvider
The FileBasedKeyProvider
implementation reads from an encrypted definition
file of the format:
key1=NGCpDpxBZNN0DBodz0p1SDbTjC2FG5kp1pCmdUKJlxxtcMSo6GC4fMlTyy1mPeKOxzLut3DRX+51j6PCO5SznA==
key2=GYxPbMMDbnraXs09eGJudAM5jTvVYp05XtImkAg4JY4rIbmHOiVUUI6OeOf7ZW+hH42jtPgNW9pSkkQ9HWY/vQ==
key3=SFe11xuz7J89Y/IQ7YbJPOL0/YKZRFL/VUxJgEHxxlXpd/8ELA7wwN59K1KTr3BURCcFP5YGmwrSKfr4OE4Vlg==
key4=kZprfcTSTH69UuOU3jMkZfrtiVR/eqWmmbdku3bQcUJ/+UToecNB5lzOVEMBChyEXppyXXC35Wa6GEXFK6PMKw==
key5=c6FzfnKm7UR7xqI2NFpZ+fEKBfSU7+1NvRw+XWQ9U39MONWqk5gvoyOCdFR1kUgeg46jrN5dGXk13sRqE0GETQ==
Each line defines a key ID and then the Base64-encoded cipher text of a 16 byte IV and
wrapped AES-128, AES-192, or AES-256 key depending on the JCE policies available. The
individual keys are wrapped by AES/GCM encryption using the master key defined by
nifi.bootstrap.sensitive.key
in conf/bootstrap.conf.
Data Protection vs. Key Protection
Even though the flowfile content is encrypted using AES/CTR
to handle
streaming data, if using the Config Encrypt Tool or
FileBasedKeyProvider
, those keys will be protected using
AES/GCM
to provide authenticated encryption over the key material.