...
Code Block | ||
---|---|---|
| ||
$ cat /var/tmp/minifi-home/conf/bootstrap.conf nifi.bootstrap.sensitive.key.old=0728061a041edb09445ae4dbd95f11bd255bb0b467b8efb239e665aea5ace46b nifi.bootstrap.sensitive.key=46af2c11a3f24c8c875ab4bee65e18a75f825fc3a4e03abdc8ce49d405b0b730 $ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home Old encryption key found in conf/bootstrap.conf Using the existing encryption key found in conf/bootstrap.conf Successfully decrypted property "nifi.security.client.pass.phrase" using old key. Encrypted property: nifi.security.client.pass.phrase Encrypted 1 sensitive property in conf/minifi.properties WARNING: you did not request the flow config to be updated, if it is currently encrypted and the old key is removed, you won't be able to recover the flow config. |
If you forgot to specify the --encrypt-flow-config
flag, you can re-run encrypt-config
with the flag, and it will re-encrypt the flow configuration file, as well.
It is always safe to re-run encrypt-config
; if it doesn't find anything new to encrypt, it will simply not do anything.
When you have successfully re-encrypted all sensitive properties and the flow configuration file(s), you can delete the nifi.bootstrap.sensitive.key.old
line from the bootstrap file.
Automatic encryption
Specify the property nifi.flow.configuration.encrypt=true
, in the properties file to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf
in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key
). This "master key" is also used on agent startup to decrypt the flow configuration file.