...
The security of the encryption depends on the security of the bootstrap.conf
file, storing which contains the encryption key.
Vocabulary
...
- If the files are already encrypted, there should be a "
nifi.bootstrap.sensitive.key=..."
line in thebootstrap.conf
file (i.e. have access to the original key), otherwise you have to manually replace all encrypted data (sensitive properties and flow configuration) with their original, unencrypted values (or some other new value) - If present, rename the "
nifi.bootstrap.sensitive.key=..."
property inbootstrap.conf
to"nifi.bootstrap.sensitive.key.old=..."
(i.e. add ".old" suffix to the property name) - If you have a specific encryption key you would like to use, add it to the
bootstrap.conf
, file (add the line "nifi.bootstrap.sensitive.key=<your encryption key here>"
). If you provide no encryption key (nonifi.bootstrap.sensitive.key
property inbootstrap.conf
, or nobootstrap.conf
at all), a new key will be randomly generated and written tobootstrap.conf.
- Re-run the
encrypt-config
tool.
...
Specify the property nifi.flow.configuration.encrypt=true
, in the properties file , to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf
in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key
). This "master key" is also used on agent startup to decrypt the flow configuration file.