THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The security of the encryption depends on the security of the bootstrap.conf file, storing the encryption key.
Vocabulary
- minifi home: the directory as specified to
encrypt-configby the--minifi-homeoption - properties file: the file
<minifi home>/conf/minifi.properties - flow configuration: the file specified in the properties file with the key
nifi.flow.configuration.file, or if not specified it defaults to<minifi home>/conf/config.yml - bootstrap file: the file
<minifi home>/conf/bootstrap.conf - sensitive property: all property in the properties file that we wish to encrypt
Basic usage
If you have a minifi.properties file in your MiNiFi configuration directory /var/tmp/minifi-home/conf containing the following sensitive properties:
...
You should protect the bootstrap.conf file to make sure it is only readable by the user which will run MiNiFi.
Additional sensitive properties
By default, encrypt-config will encrypt a (short) list of default sensitive properties. If you want more properties to be encrypted, you can add a nifi.sensitive.props.additional.keys setting with a comma-separated list of additional sensitive properties to your minifi.properties file like this:
...
before running the encrypt-config tool. The tool will then encrypt these additional properties, as well. You can also do this after you have already encrypted some properties; the tool will encrypt the additional properties using the existing encryption key, and it will leave the other, already encrypted, sensitive properties alone.
Modifying sensitive properties
If you later need to modify the value of a sensitive property which was encrypted earlier, you need to:
...
The tool will then encrypt the modified property using the existing encryption key in bootstrap.conf, and it will leave the other, already encrypted, sensitive properties alone.
Encrypting the flow configuration
For manual encryption pass the flag --encrypt-flow-config to encrypt-config so that it also encrypts the flow configuration file, not just the sensitive properties.
Updating the encryption key
If you want to change the encryption key, you need to:
...