Encrypting NiFi sensitive properties with FIPS 140-2 approved algorithm
You can encrypt NiFi sensitive properties, such as the password for a database connection pool service, with a secret key generated by the FIPS 140-2 approved PBKDF2 algorithm.
The PBKDF2 algorithm uses 160,000 hashing iterations with the SHA-512 digest function. The generated secret key is then used to encrypt properties with AES Galois/Counter Mode (GCM), which provides both encryption and integrity protection.
To generate secret keys using the PBKDF2 algorithm, you must specify the algorithm in
nifi.sensitive.props.algorithm field and specify a password in
See Installing and Configuring CDP with FIPS.
- Open the nifi.properties file.
nifi.sensitive.props.algorithmproperty to one of the following PBKDF2 options:
NIFI_PBKDF2_AES_GCM_128to specify a 128-bit key length
NIFI_PBKDF2_AES_GCM_256to specify a 256-bit key length
nifi.sensitive.props.keyproperty with a password that is at least 12 characters long.The encryption key is derived from this password.
- Save the nifi.properties file.
- If you are installing CFM, start NiFi. If you are upgrading to a newer CFM version, see the Migration guide.