Migrating a Flow with Sensitive Properties

When a value is set for nifi.sensitive.props.key in nifi.properties, the specified key is used to encrypt sensitive properties in the flow (e.g. password fields in components). If the key needs to change, the Encrypt-Config tool in the NiFi Toolkit can migrate the sensitive properties key and update the flow.xml.gz. Specifically, Encrypt-Config:

  1. Reads the existing flow.xml.gz and decrypts the sensitive values using the current key.

  2. Encrypts all the sensitive values with a specified new key.

  3. Updates the nifi.properties and flow.xml.gz files or creates new versions of them.

As an example, assume version 1.9.2 is the existing NiFi instance and the sensitive properties key is set to password. The goal is to move the 1.9.2 flow.xml.gz to a 1.10.0 instance with a new sensitive properties key: new_password. Running the following Encrypt-Config command would read in the flow.xml.gz and nifi.properties files from 1.9.2 using the original sensitive properties key and write out new versions in 1.10.0 with the sensitive properties encrypted with the new password:

         $ ./nifi-toolkit-1.10.0/bin/encrypt-config.sh -f /path/to/nifi/nifi-1.9.2/conf/flow.xml.gz -g /path/to/nifi/nifi-1.10.0/conf/flow.xml.gz -s new_password -n /path/to/nifi/nifi-1.9.2/conf/nifi.properties -o /path/to/nifi/nifi-1.10.0/conf/nifi.properties -x


  • -f specifies the source flow.xml.gz (nifi-1.9.2)

  • -g specifies the destination flow.xml.gz (nifi-1.10.0)

  • -s specifies the new sensitive properties key (new_password)

  • -n specifies the source nifi.properties (nifi-1.9.2)

  • -o specifies the destination nifi.properties (nifi-1.10.0)

  • -x tells Encrypt-Config to only process the sensitive properties

For more information see the Encrypt-Config Tool section in the NiFi Toolkit Guide.