Specify the property nifi.flow.configuration.encrypt=true, in the properties file, to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key). This "master key" is also used on agent startup to decrypt the flow configuration file.

Manual encryption

MiNiFi comes with a tool called encrypt-config (encrypt-config.exe on Windows) which can be found in the bin directory of the installation, next to the main minifi binary. It enables the encryption of sensitive properties in the minifi.properties file along with the encryption of the flow configuration (config.yml by default).

...

$ cat /var/tmp/minifi-home/conf/bootstrap.conf

nifi.bootstrap.sensitive.key.old=0728061a041edb09445ae4dbd95f11bd255bb0b467b8efb239e665aea5ace46b
nifi.bootstrap.sensitive.key=46af2c11a3f24c8c875ab4bee65e18a75f825fc3a4e03abdc8ce49d405b0b730

$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home

Old encryption key found in conf/bootstrap.conf
Using the existing encryption key found in conf/bootstrap.conf
Property "nifi.security.client.pass.phrase" is already properly encrypted.
Could not find any (new) sensitive properties to encrypt in conf/minifi.properties
WARNING: you did not request the flow config to be updated, if it is currently encrypted and the old key is removed, you won't be able to recover the flow config.

Automatic encryption

Specify the property nifi.flow.configuration.encrypt=true, in the properties file, to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key). This "master key" is also used on agent startup to decrypt the flow configuration file.