THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Minifi comes with a tool which can encrypt sensitive properties in the minifi.properties file. It is called encrypt-config (encrypt-config.exe on Windows), and it is in the bin directory of the installation, next to the main minifi binary.
The goal of the tool is to prevent accidental exposure of passwords etc; it will not stop a determined attacker.
Basic usage
If you have a minifi.properties file in your Minifi configuration directory /var/tmp/minifi-home/conf containing the following sensitive properties:
minifi.properties
... nifi.security.client.pass.phrase=pass_phrase ... nifi.rest.api.user.name=admin nifi.rest.api.password=password123 ...
you can run the encrypt-config tool like this:
$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home Generating a new encryption key... Wrote the new encryption key to /var/tmp/minifi-home/conf/bootstrap.conf Encrypted property: nifi.security.client.pass.phrase Encrypted property: nifi.rest.api.password Encrypted 2 sensitive properties in /var/tmp/minifi-home/conf/minifi.properties
which will
- Generate a new encryption key
- Write this key to the
bootstrap.conffile in your configuration directory (it will append/update it if the file exists already, or create a new file otherwise) - Encrypt the sensitive properties using this encryption key
- Add a
something.protectedencryption marker after each encrypted property.
After running the tool, bootstrap.conf will look like this:
bootstrap.conf
nifi.bootstrap.sensitive.key=ECYjbr+6fn+9jjAmJBVBVvc3cYEUxaOm6zmp9iPHSvQ=
and minifi.properties will look like this:
minifi.properties
... nifi.security.client.pass.phrase=3h77xFO0iLj/km6nS2lg0cg5Fo6ATr5I0c2QCnQZQM2rklVyWAoeN+Brvu9fUj43QcOE nifi.security.client.pass.phrase.protected=XChaCha20-Poly1305 ... nifi.rest.api.user.name=admin nifi.rest.api.password=rCu2nQAQNQYekkNEeKDPUpCC+Mhn351WWbeTFpKznFCFeye64AdQsxeM7g/GrllgMedL nifi.rest.api.password.protected=XChaCha20-Poly1305 ...
You should protect the bootstrap.conf file to make sure it is only readable by the user which will run Minifi.
Additional sensitive properties
By default, encrypt-config will encrypt a (short) list of default sensitive properties; if you want more properties to be encrypted, you can add a nifi.sensitive.props.additional.keys setting with a comma-separated list of additional sensitive properties to your minifi.properties file like this:
minifi.properties
... nifi.sensitive.props.additional.keys=nifi.rest.api.user.name,controller.socket.host,controller.socket.port ...
before running the encrypt-config tool. The tool will then encrypt these additional properties, as well. You can also do this after you have already encrypted some properties; the tool will encrypt the additional properties using the existing encryption key, and it will leave the other, already encrypted, sensitive properties alone.
Modifying sensitive properties
If you later need to modify the value of a sensitive property which was encrypted earlier, you need to:
- Replace the encrypted value with the new, unencrypted value
- Delete the
something.protected=XChaCha20-Poly1305line which was added by the tool - Re-run the
encrypt-configtool.
The tool will then encrypt the modified property using the existing encryption key in bootstrap.conf, and it will leave the other, already encrypted, sensitive properties alone.
Generating a new encryption key
If you want to generate a new encryption key, you need to:
- Remove the
nifi.bootstrap.sensitive.key=...line frombootstrap.conf(if it does not contain anything else, you can delete the file) - Replace all sensitive property values with their original, unencrypted, values
- Delete all the
something.protected=XChaCha20-Poly1305lines - Re-run the
encrypt-configtool.
Remember to protect the new bootstrap.conf file so it is only readable by the user which will run Minifi.