Migrating dataflows with sensitive properties

When you set a value for nifi.sensitive.props.key in nifi.properties, that key is used to encrypt sensitive properties like component passwords in the flow. If you need to change the sensitive properties key value, you can use the Encrypt-Config tool in the NiFi Toolkit to migrate the sensitive properties key to a new value and update the flow.xml.gz file.

About this task

The Encrypt-Config tool performs the following actions:
  • Reads the existing flow.xml.gz and decrypts the sensitive values using the current key.
  • Encrypts all the sensitive values with a specified new key.
  • Updates the nifi.properties and flow.xml.gz files or creates new versions of them.
Run the following command:
$ ./nifi-toolkit-<version>/bin/encrypt-config.sh 
-f /path/to/nifi/nifi-<source-version>/conf/flow.xml.gz 
-g /path/to/nifi/nifi-<target-version>/conf/flow.xml.gz 
-s <new-password> 
-n /path/to/nifi/nifi-<source-version>/conf/nifi.properties 
-o /path/to/nifi/nifi-<target-version>/conf/nifi.properties 


  • -f – Specifies the source flow.xml.gz.
  • -g – Specifies the destination flow.xml.gz.
  • -s – Specifies the new sensitive properties key.
  • -n – Specifies the source nifi.properties.
  • -o – Specifies the destination nifi.properties.
  • -x – Tells the Encrypt-Config tool to only process the sensitive properties.

For more information, see the Encrypt-Config Tool section in the NiFi Toolkit Guide.