...

The tool will then encrypt the modified property using the existing encryption key in bootstrap.conf, and it will leave the other, already encrypted, sensitive properties alone.

Generating a new encryption key

If you want to modify the generate a new encryption key, you need to:

1. Remove the nifi.bootstrap.sensitive.key=... line from bootstrap.conf (if it does not contain anything else, you can delete the file)
2. Replace all sensitive property values with their original, unencrypted, values
3. Delete all the the something.protected=XChaCha20-Poly1305 lines.

4. Re-run the encrypt-config tool.

...