[ https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andy LoPresto updated NIFI-3045: -------------------------------- Affects Version/s: 1.0.0 > Usage of -k undermines encrypted configuration > ---------------------------------------------- > > Key: NIFI-3045 > URL: https://issues.apache.org/jira/browse/NIFI-3045 > Project: Apache NiFi > Issue Type: Bug > Components: Configuration > Affects Versions: 1.0.0 > Reporter: Anders Breindahl > Labels: bootstrap, configuration, encryption, security > Attachments: 2016-11-16_dash-ks-extraction.png, > extract-dash-ks-from-process-list.xml > > > Hey, > When setting up a hardened NiFi installation I ran into this. I hope I'm > mistaken. > When running the `encrypt-config.sh` script, one has a > `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The > service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` > parameter. > This however can be retrieved by any user of the interface -- which, combined > with NiFi being able to read from (the > encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means > that e.g. the `nifi.security.keystorePasswd` property can be decrypted > offline. > Does this have anything to it? -- This message was sent by Atlassian JIRA (v6.3.4#6332)