How does it work?

The WriteAheadProvenanceRepository was introduced in NiFi 1.2.0 and provided a refactored and much faster provenance repository implementation than the previous PersistentProvenanceRepository. The encrypted version wraps that implementation with a record writer and reader which encrypt and decrypt the serialized bytes respectively.

The fully qualified class org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository is specified as the provenance repository implementation in as the value of nifi.provenance.repository.implementation. In addition, new properties must be populated to allow successful initialization.


The StaticKeyProvider implementation defines keys directly in Individual keys are provided in hexadecimal encoding. The keys can also be encrypted like any other sensitive property in using the ./ tool in the NiFi Toolkit.

The following configuration section would result in a key provider with two available keys, "Key1" (active) and "AnotherKey".


The FileBasedKeyProvider implementation reads from an encrypted definition file of the format:


Each line defines a key ID and then the Base64-encoded cipher text of a 16 byte IV and wrapped AES-128, AES-192, or AES-256 key depending on the JCE policies available. The individual keys are wrapped by AES/GCM encryption using the root key defined by nifi.bootstrap.sensitive.key in conf/bootstrap.conf.

Key Rotation

Simply update to reference a new key ID in Previously-encrypted events can still be decrypted as long as that key is still available in the key definition file or<OldKeyID> as the key ID is serialized alongside the encrypted record.