[
https://issues.apache.org/jira/browse/NIFI-2451?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15419785#comment-15419785
]
Andrew Lim commented on NIFI-2451:
----------------------------------
Will add the following to Admin Guide after Encryption Configuration:
Encrypted Passwords in Configuration Files
In order to facilitate the secure setup of NiFi, you can use the encrypt-config
command line utility to encrypt raw configuration values that NiFi decrypts in
memory on startup. This extensible protection scheme transparently allows NiFi
to use raw values in operation, while protecting them at rest. In the future,
hardware security modules (HSM) and external secure storage mechanisms will be
integrated, but for now, an AES encryption provider is the default
implementation.
This is a change in behavior; prior to 1.0, all configuration values were
stored in plaintext on the file system. POSIX file permissions were recommended
to limit unauthorized access to these files
If no administrator action is taken, the configuration values remain
unencrypted.
Encrypt-Config Tool
The encrypt-config command line tool reads from a nifi.properties file with
plaintext sensitive configuration values, prompts you for a master key, and
encrypts each value. It replaces the plain values with the protected value in
the same file, or writes to a new nifi.properties file if specified.
The default encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is
used if JCE Unlimited Strength Crypto Policy is not installed, and 256-bit is
used if it is installed.
You can use the following command line options with the encrypt-config tool:
-b (or --bootstrapConf) Specifies the bootstrap.conf file you want to use to
persist the master key.
-h (or --help) Prints this usage message.
-k (or --hexKey) The raw hexadecimal key to use to encrypt the sensitive
properties. Must be a 32 or 64 hexadecimal string. Some basic error handling
is performed if the string is not formatted properly.
-n (or --niFiProperties) The nifi.properties file containing unprotected
config values. The input nifi.properties file is overwritten.
-o (or --outputNiFiProperties) The destination nifi.properties file containing
protected config values. The input nifi.properties file is not modified.
As an example of how the tool works, assume that you have installed the tool on
a machine supporting 256-bit encryption and with following existing values in
the nifi.properties file:
# security properties #
nifi.sensitive.props.key=thisIsABadSensitiveKeyPassword
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=
nifi.security.keystore=/path/to/keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=thisIsABadKeystorePassword
nifi.security.keyPasswd=thisIsABadKeyPassword
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
Enter the following arguments when using the tool:
encrypt-config.sh
-b bootstrap.conf
-k 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
-n nifi.properties
As a result, the nifi.properties file is overwritten with protected properties
and sibling encryption identifiers (aes/gcm/256, the currently supported
algorithm):
# security properties #
nifi.sensitive.props.key=n2z+tTTbHuZ4V4V2||uWhdasyDXD4ZG2lMAes/vqh6u4vaz4xgL4aEbF4Y/dXevqk3ulRcOwf1vc4RDQ==
nifi.sensitive.props.key.protected=aes/gcm/256
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=
nifi.security.keystore=/path/to/keystore.jks
nifi.security.keystoreType=JKS
nifi.security.keystorePasswd=oBjT92hIGRElIGOh||MZ6uYuWNBrOA6usq/Jt3DaD2e4otNirZDytac/w/KFe0HOkrJR03vcbo
nifi.security.keystorePasswd.protected=aes/gcm/256
nifi.security.keyPasswd=ac/BaE35SL/esLiJ||+ULRvRLYdIDA2VqpE0eQXDEMjaLBMG2kbKOdOwBk/hGebDKlVg==
nifi.security.keyPasswd.protected=aes/gcm/256
nifi.security.truststore=
nifi.security.truststoreType=
nifi.security.truststorePasswd=
Additionally, the bootstrap.conf file is updated with the encryption key as
follows:
# Master key in hexadecimal format for encrypted sensitive configuration values
nifi.bootstrap.sensitive.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
Sensitive configuration values are encrypted by the tool by default, however
you can encrypt any additional properties, if desired. To encrypt additional
properties, specify them as comma-separated values in the
nifi.sensitive.props.additional.keys property.
If the nifi.properties file already has valid protected values, those property
values are not modified by the tool.
> Need to update Encryption Configuration content in Admin guide for 1.0 changes
> ------------------------------------------------------------------------------
>
> Key: NIFI-2451
> URL: https://issues.apache.org/jira/browse/NIFI-2451
> Project: Apache NiFi
> Issue Type: Bug
> Components: Documentation & Website
> Affects Versions: 1.0.0
> Reporter: Andrew Lim
> Assignee: Andrew Lim
> Fix For: 1.0.0
>
>
> Will need to document changes in Admin Guide for:
> NIFI-1831 for Encryption Configuration
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
