Encrypting NiFi sensitive properties with FIPS 140-2 approved algorithm

You can encrypt NiFi sensitive properties, such as the password for a database connection pool service, with a secret key generated by the FIPS 140-2 approved PBKDF2 algorithm.

The PBKDF2 algorithm uses 160,000 hashing iterations with the SHA-512 digest function. The generated secret key is then used to encrypt properties with AES Galois/Counter Mode (GCM), which provides both encryption and integrity protection.

To generate secret keys using the PBKDF2 algorithm, you must specify the algorithm in the nifi.sensitive.props.algorithm field and specify a password in the nifi.sensitive.props.key field.

See Installing and Configuring CDP with FIPS.

  1. Open the nifi.properties file.
  2. Set the nifi.sensitive.props.algorithm property to one of the following PBKDF2 options:
    • NIFI_PBKDF2_AES_GCM_128 to specify a 128-bit key length
    • NIFI_PBKDF2_AES_GCM_256 to specify a 256-bit key length
  3. Set the nifi.sensitive.props.key property with a password that is at least 12 characters long.
    The encryption key is derived from this password.
  4. Save the nifi.properties file.
  5. If you are installing CFM 2.1.0, start NiFi. If you are upgrading to CFM 2.1.0, see the Migration guide.