Table of Contents |
---|
Specify the property nifi.flow.configuration.encrypt=true
, in the properties file, to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf
in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key
). This "master key" is also used on agent startup to decrypt the flow configuration file.
Manual encryption
MiNiFi comes with a tool called encrypt-config
(encrypt-config.exe
on Windows) which can be found in the bin
directory of the installation, next to the main minifi
binary. It enables the encryption of sensitive properties in the minifi.properties
file along with the encryption of the flow configuration (config.yml
by default).
...
Code Block | ||
---|---|---|
| ||
$ cat /var/tmp/minifi-home/conf/bootstrap.conf
nifi.bootstrap.sensitive.key.old=0728061a041edb09445ae4dbd95f11bd255bb0b467b8efb239e665aea5ace46b
nifi.bootstrap.sensitive.key=46af2c11a3f24c8c875ab4bee65e18a75f825fc3a4e03abdc8ce49d405b0b730
$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home
Old encryption key found in conf/bootstrap.conf
Using the existing encryption key found in conf/bootstrap.conf
Property "nifi.security.client.pass.phrase" is already properly encrypted.
Could not find any (new) sensitive properties to encrypt in conf/minifi.properties
WARNING: you did not request the flow config to be updated, if it is currently encrypted and the old key is removed, you won't be able to recover the flow config. |
Automatic encryption
Specify the property nifi.flow.configuration.encrypt=true
, in the properties file, to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf
in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key
). This "master key" is also used on agent startup to decrypt the flow configuration file.