gresockj commented on a change in pull request #5154: URL: https://github.com/apache/nifi/pull/5154#discussion_r654826401
########## File path: nifi-docs/src/main/asciidoc/toolkit-guide.adoc ########## @@ -466,6 +470,40 @@ The following are available options when targeting NiFi Registry using the `--ni * `-I`,`--outputIdentityProvidersXml <file>` The destination _identity-providers.xml_ file containing protected config values. * `--decrypt` Can be used with `-r` to decrypt a previously encrypted NiFi Registry Properties file. Decrypted content is printed to STDOUT. +=== Protection Schemes +The protection scheme can be selected during encryption using the `--protectionScheme` flag. During migration, the former protection scheme is specified using the `--oldProtectionScheme` flag. This distinction allows a set of protected configuration files to be migrated not only to a new key, but to a completely different protection scheme. + +==== AES_GCM +The default protection scheme, `AES-G/CM` simply encrypts sensitive properties and marks their protection as either `aes/gcm/256` or `aes/gcm/256` as appropriate. This protection is all done within NiFi itself. + +==== HASHICORP_VAULT_TRANSIT +This protection scheme uses HashiCorp Vault's Transit Secrets Engine (https://www.vaultproject.io/docs/secrets/transit) to outsource encryption to a configured Vault server. All HashiCorp Vault configuration is stored in the `bootstrap-hashicorp-vault.conf` file, as referenced in the `bootstrap.conf` of a NiFi or NiFi Registry instance. Therefore, when using the HASHICORP_VAULT_TRANSIT protection scheme, the `nifi(.registry)?.bootstrap.protection.hashicorp.vault.conf` property in the `bootstrap.conf` specified using the `-b` flag must be available to the Encrypt Configuration Tool and must be configured as follows: + +===== Required properties +[options="header,footer"] +|=== +|Property Name|Description|Default +|`vault.uri`|The HashiCorp Vault URI (e.g., `https://vault-server:8200`). If not set, this provider will be disabled.|_none_ +|`vault.authPropertiesFilename`|Filename of a properties file containing Vault authentication properties. See the `Authentication-specific property keys` section of https://docs.spring.io/spring-vault/docs/2.3.x/reference/html/#vault.core.environment-vault-configuration"; for all authentication property keys. If not set, this provider will be disabled.|_none_ +|`vault.transit.path`|The HashiCorp Vault `path` specifying the Transit Secrets Engine (e.g., `nifi-transit`). Valid characters include alphanumeric, dash, and underscore.|_none_ +|=== + +===== Optional properties +[options="header,footer"] +|=== +|Property Name|Description|Default +|`vault.connection.timeout`|The connection timeout of the Vault client|`5 secs` +|`vault.read.timeout`|The read timeout of the Vault client|`15 secs` +|`vault.ssl.enabledCipherSuites`|A comma-separated list of the enabled TLS cipher suites|_none_ +|`vault.ssl.enabledProtocols`|A comma-separated list of the enabled TLS protocols|_none_ +|`vault.ssl.key-store`|Path to a keystore. Required if the Vault server is TLS-enabled|_none_ +|`vault.ssl.key-store-type`|Keystore type (JKS or PKCS12). Required if the Vault server is TLS-enabled|_none_ Review comment: Actually I think it can be supported. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
