How does it work?
The WriteAheadProvenanceRepository
was introduced in NiFi 1.2.0 and provided a refactored and much faster provenance repository implementation than the previous PersistentProvenanceRepository
. The encrypted version wraps that implementation with a record writer and reader which encrypt and decrypt the serialized bytes respectively.
The fully qualified class
org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository
is
specified as the provenance repository implementation in nifi.properties as the
value of nifi.provenance.repository.implementation
. In addition, new properties must be populated to allow
successful initialization.
StaticKeyProvider
The StaticKeyProvider
implementation defines keys directly in
nifi.properties. Individual keys are provided in hexadecimal encoding. The
keys can also be encrypted like any other sensitive property in nifi.properties
using the ./encrypt-config.sh
tool in the NiFi Toolkit.
The following configuration section would result in a key provider with two available keys, "Key1" (active) and "AnotherKey".
nifi.provenance.repository.encryption.key.provider.implementation=org.apache.nifi.security.kms.StaticKeyProvider
nifi.provenance.repository.encryption.key.id=Key1
nifi.provenance.repository.encryption.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
nifi.provenance.repository.encryption.key.id.AnotherKey=0101010101010101010101010101010101010101010101010101010101010101
FileBasedKeyProvider
The FileBasedKeyProvider
implementation reads from an encrypted definition file of the format:
key1=NGCpDpxBZNN0DBodz0p1SDbTjC2FG5kp1pCmdUKJlxxtcMSo6GC4fMlTyy1mPeKOxzLut3DRX+51j6PCO5SznA==
key2=GYxPbMMDbnraXs09eGJudAM5jTvVYp05XtImkAg4JY4rIbmHOiVUUI6OeOf7ZW+hH42jtPgNW9pSkkQ9HWY/vQ==
key3=SFe11xuz7J89Y/IQ7YbJPOL0/YKZRFL/VUxJgEHxxlXpd/8ELA7wwN59K1KTr3BURCcFP5YGmwrSKfr4OE4Vlg==
key4=kZprfcTSTH69UuOU3jMkZfrtiVR/eqWmmbdku3bQcUJ/+UToecNB5lzOVEMBChyEXppyXXC35Wa6GEXFK6PMKw==
key5=c6FzfnKm7UR7xqI2NFpZ+fEKBfSU7+1NvRw+XWQ9U39MONWqk5gvoyOCdFR1kUgeg46jrN5dGXk13sRqE0GETQ==
Each line defines a key ID and then the Base64-encoded cipher text of a 16 byte IV and wrapped AES-128, AES-192, or AES-256 key depending on the JCE policies available. The individual keys are wrapped by AES/GCM encryption using the master key defined by nifi.bootstrap.sensitive.key
in conf/bootstrap.conf.
Key Rotation
Simply update nifi.properties to reference a new key ID in nifi.provenance.repository.encryption.key.id
. Previously-encrypted events can still be decrypted as long as that key is still available in the key definition file or nifi.provenance.repository.encryption.key.id.<OldKeyID>
as the key ID is serialized alongside the encrypted record.