Writing and Reading FlowFiles
Once the repository is initialized, all flowfile record write operations are serialized using
RepositoryObjectBlockEncryptor (the only currently existing implementation is
RepositoryObjectAESGCMEncryptor) to the provided
DataOutputStream. The original stream is swapped with a temporary wrapped stream, which encrypts the data written by the wrapped serializer/deserializer via
EncryptedSchemaRepositoryRecordSerde inline and the encryption metadata (
cipherByteLength) is serialized and prepended. The complete length and encrypted bytes are then written to the original
DataOutputStream on disk as normal.
On flowfile record read, the process is reversed. The encryption metadata (
RepositoryObjectEncryptionMetadata) is parsed and used to decrypt the serialized bytes, which are then deserialized into a
During swaps and recoveries, the flowfile records are deserialized and reserialized, so if the active key has been changed, the flowfile records will be re-encrypted with the new active key.
Within the NiFi UI/API, there is no detectable difference between an encrypted and unencrypted flowfile repository. All framework interactions with flowfiles work as expected with no change to the process.