Minifi comes with a tool which can encrypt sensitive properties in the minifi.properties
file. It is called encrypt-config
(encrypt-config.exe
on Windows), and it is in the bin
directory of the installation, next to the main minifi
binary.
The goal of the tool is to prevent accidental exposure of passwords etc; it will not stop a determined attacker.
Basic usage
If you have a minifi.properties
file in your Minifi configuration directory /var/tmp/minifi-home/conf
containing the following sensitive properties:
... nifi.security.client.pass.phrase=pass_phrase ... nifi.rest.api.user.name=admin nifi.rest.api.password=password123 ...
you can run the encrypt-config
tool like this:
$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home Generating a new encryption key... Wrote the new encryption key to /var/tmp/minifi-home/conf/bootstrap.conf Encrypted property: nifi.security.client.pass.phrase Encrypted property: nifi.rest.api.password Encrypted 2 sensitive properties in /var/tmp/minifi-home/conf/minifi.properties
which will
- Generate a new encryption key
- Write this key to the
bootstrap.conf
file in your configuration directory (it will append/update it if the file exists already, or create a new file otherwise) - Encrypt the sensitive properties using this encryption key
- Add a
something.protected
encryption marker after each encrypted property.
After running the tool, bootstrap.conf
will look like this:
nifi.bootstrap.sensitive.key=77cd3f88ab997f7ae99b13c70877c5274c3b7b495f601f290042b14e7db4d542
and minifi.properties
will look like this:
... nifi.security.client.pass.phrase=STBmfU0uk5hgSYG5O3uJM3HeZjrYJz//||vE/V65QiMgSatzScaPYkraVrpWnBExVgVX/CwyXx nifi.security.client.pass.phrase.protected=xsalsa20poly1305 ... nifi.rest.api.user.name=admin nifi.rest.api.password=q8XNjJMoVABXz7sks5O6nhaTqqRay4gF||U3762djgMVguHI6GjRl+iCCDSkIdTFzKDCXi nifi.rest.api.password.protected=xsalsa20poly1305 ...
You should protect the bootstrap.conf
file to make sure it is only readable by the user which will run Minifi.
Additional sensitive properties
By default, encrypt-config
will encrypt a (short) list of default sensitive properties; if you want more properties to be encrypted, you can add a nifi.sensitive.props.additional.keys
setting with a comma-separated list of additional sensitive properties to your minifi.properties
file like this:
... nifi.sensitive.props.additional.keys=nifi.rest.api.user.name,controller.socket.host,controller.socket.port ...
before running the encrypt-config
tool. The tool will then encrypt these additional properties, as well. You can also do this after you have already encrypted some properties; the tool will encrypt the additional properties using the existing encryption key, and it will leave the other, already encrypted, sensitive properties alone.
Modifying sensitive properties
If you later need to modify the value of a sensitive property which was encrypted earlier, you need to:
- Replace the encrypted value with the new, unencrypted value
- Delete the
something.protected=XChaCha20-Poly1305
line which was added by the tool - Re-run the
encrypt-config
tool.
The tool will then encrypt the modified property using the existing encryption key in bootstrap.conf
, and it will leave the other, already encrypted, sensitive properties alone.
Generating a new encryption key
If you want to generate a new encryption key, you need to:
- Remove the
nifi.bootstrap.sensitive.key=...
line frombootstrap.conf
(if it does not contain anything else, you can delete the file) - Replace all sensitive property values with their original, unencrypted, values
- Delete all the
something.protected=XChaCha20-Poly1305
lines - Re-run the
encrypt-config
tool.
Remember to protect the new bootstrap.conf
file so it is only readable by the user which will run Minifi.