Table of Contents |
---|
Specify the property nifi.flow.configuration.encrypt=true
, in the properties file, to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf
in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key
). This "master key" is also used on agent startup to decrypt the flow configuration file.
Manual encryption
MiNiFi comes with a tool called encrypt-config
(encrypt-config.exe
on Windows) which can be found in the bin
directory of the installation, next to the main minifi
binary. It enables the encryption of sensitive properties in the minifi.properties
file along with the encryption of the flow configuration (config.yml
by default).
The security of the encryption depends on the security of the bootstrap.conf
file, storing which contains the encryption key.
Vocabulary
- minifi home: the directory as specified to
encrypt-config
by the--minifi-home
option - configuration directory: the directory
<minifi home>/conf
- properties file: the file
<minifi home>/conf/minifi.properties
- flow configuration: the file specified in the properties file with the key
nifi.flow.configuration.file
, or if not specified it defaults to<minifi home>/conf/config.yml
- bootstrap file: the file
<minifi home>/conf/bootstrap.conf
- sensitive property: all property in the properties file that we wish to encrypt
...
Encrypting the flow configuration
For manual encryption pass Pass the flag --encrypt-flow-config
to encrypt-config
so that it also encrypts the flow configuration file, not just the sensitive properties.
...
If you want to change the encryption key, you need tocan do so in the following way:
- If the files are already encrypted, there should be a "
nifi.bootstrap.sensitive.key=..."
line in thebootstrap.conf
file (i.e. have access to the original key), otherwise you have to manually replace all encrypted data (sensitive properties and flow configuration) with their original, unencrypted values (or some other new value) - If present, rename the "
nifi.bootstrap.sensitive.key=..."
property inbootstrap.conf
to"nifi.bootstrap.sensitive.key.old=..."
(i.e. add ".old" suffix to the property name) - If you have a specific encryption key you would like to use, add it to the
bootstrap.conf
, file (add the line "nifi.bootstrap.sensitive.key=<your encryption key here>"
). If you provide no encryption key (nonifi.bootstrap.sensitive.key
property inbootstrap.conf
, or nobootstrap.conf
at all), a new key will be randomly generated and written tobootstrap.conf.
- Re-run the
encrypt-config
tool.
Take special care when changing the encryption key and the flow configuration is encrypted, so that you also re-encrypt it before deleting the old key (you will get a warning if you do not request its re-encryption).
Code Block | ||
---|---|---|
| ||
$ cat /var/tmp/minifi-home/conf/bootstrap.conf nifi.bootstrap.sensitive.key.old=0728061a041edb09445ae4dbd95f11bd255bb0b467b8efb239e665aea5ace46b nifi.bootstrap.sensitive.key=46af2c11a3f24c8c875ab4bee65e18a75f825fc3a4e03abdc8ce49d405b0b730 $ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home Old encryption key found in conf/bootstrap.conf Using the existing encryption key found in conf/bootstrap.conf PropertySuccessfully decrypted property "nifi.security.client.pass.phrase" isusing alreadyold properly encryptedkey. CouldEncrypted not find any (new) sensitive properties to encryptproperty: nifi.security.client.pass.phrase Encrypted 1 sensitive property in conf/minifi.properties WARNING: you did not request the flow config to be updated, if it is currently encrypted and the old key is removed, you won't be able to recover the flow config. |
If you forgot to specify the --encrypt-flow-config
flag, you can re-run encrypt-config
with the flag, and it will re-encrypt the flow configuration file, as well.
It is always safe to re-run encrypt-config
; if it doesn't find anything new to encrypt, it will simply not do anything.
When you have successfully re-encrypted all sensitive properties and the flow configuration file(s), you can delete the nifi.bootstrap.sensitive.key.old
line from the bootstrap file.
Automatic encryption
Specify the property nifi.flow.configuration.encrypt=true
, in the properties file to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf
in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key
). This "master key" is also used on agent startup to decrypt the flow configuration file.