...

$ cat /var/tmp/minifi-home/conf/bootstrap.conf

nifi.bootstrap.sensitive.key.old=0728061a041edb09445ae4dbd95f11bd255bb0b467b8efb239e665aea5ace46b
nifi.bootstrap.sensitive.key=46af2c11a3f24c8c875ab4bee65e18a75f825fc3a4e03abdc8ce49d405b0b730

$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home

Old encryption key found in conf/bootstrap.conf
Using the existing encryption key found in conf/bootstrap.conf
PropertySuccessfully decrypted property "nifi.security.client.pass.phrase" isusing alreadyold properly encryptedkey.
CouldEncrypted not find any (new) sensitive properties to encrypt property: nifi.security.client.pass.phrase
Encrypted 1 sensitive property in conf/minifi.properties
WARNING: you did not request the flow config to be updated, if it is currently encrypted and the old key is removed, you won't be able to recover the flow config.

If you forgot to specify the --encrypt-flow-config flag, you can re-run encrypt-config with the flag, and it will re-encrypt the flow configuration file, as well.

It is always safe to re-run encrypt-config; if it doesn't find anything new to encrypt, it will simply not do anything.

When you have successfully re-encrypted all sensitive properties and the flow configuration file(s), you can delete the nifi.bootstrap.sensitive.key.old  line from the bootstrap file.

Automatic encryption

Specify the property nifi.flow.configuration.encrypt=true, in the properties file to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key). This "master key" is also used on agent startup to decrypt the flow configuration file.