[jira] [Commented] (NIFI-8447) Add Vault encryption as an option in the Encrypt Tool

Tue, 27 Apr 2021 11:17:05 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-8447?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17333443#comment-17333443
 ] 

Joey Frazee commented on NIFI-8447:
-----------------------------------

[~jgresock] I have a minor worry that the top-level properties of uri and 
transit key are implementation specific and the naming could be confusing.

Sure most of it will be externalized in another properties file but at some 
point this should work with AWS KMS, Azure KeyVault. GCP CMEK (?), or event a 
custom provider so I think it'd be useful to be use provider-specific naming 
where applicable.

I also think it's important to be thinking towards having a 
nifi.sensitive.props.vault.implementation=MyVaultImplementation as custom 
vaults are not uncommon. (Also should help with testing.)

Thoughts?

> Add Vault encryption as an option in the Encrypt Tool
> -----------------------------------------------------
>
>                 Key: NIFI-8447
>                 URL: https://issues.apache.org/jira/browse/NIFI-8447
>             Project: Apache NiFi
>          Issue Type: Sub-task
>            Reporter: Joseph Gresock
>            Priority: Minor
>
> Using the StandardVaultCommunicationService, add options to the Encrypt Tool 
> in nifi-toolkit for the following:
>  # Select encryption method (aes/gcm vs. vault)
>  # Select vault configuration (recommended as a 
> vault-configuration.properties file, since there are so many configuration 
> properties).  Vault configuration properties include: 
> {code}
> nifi.sensitive.props.vault.uri=
> nifi.sensitive.props.vault.transit.key=
> nifi.sensitive.props.vault.auth.properties.file=
> # Optional TLS options if addr is https
> nifi.security.keystore=
> nifi.security.keystoreType=
> nifi.security.keystorPasswd=
> nifi.security.keyPasswd=
> nifi.security.truststore=
> nifi.security.truststoreType=
> nifi.security.truststorePasswd=
> {code}
> Selecting vault encryption method should set the encryption value in XML 
> files or the *.protected property in properties files to "vault/[transitKey]"
> A transitKey represents a distinct Vault configuration of encryption settings.
> Additionally, the corresponding nifi.sensitive.props.vault.* properties 
> should be configured in the resulting nifi.properties file so that the NiFi 
> instance can use the same Vault configuration.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to