[jira] [Commented] (NIFI-12501) [MiNiFi] Encrypt MiNiFi bootstrap.conf properties

Mon, 11 Dec 2023 07:59:05 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-12501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17795422#comment-17795422
 ] 

Ferenc Erdei commented on NIFI-12501:
-------------------------------------

Thanks [~szaszm] , This story is about encrypting the property files (so for 
example keystore/truststore passwords in the property files), not the flow. 
There was a separate story for the flow description and it works similarly to 
what you've just described. 

[~exceptionfactory] , The MiNiFi version of the toolkit will use the very same 
logic but on the same property file.
 * It will support only AES/GCM 128/256-bit algorithm
 * in the bootstrap.conf path is a mandatory parameter
 * optional output bootstrap conf path
 * hash / password is needed to encrypt the properties

 # The logic is to call the very same bootstrap transformer as you have in NiFi 
toolkit, to add(override) the root key to the bootstrap file if it doesn't 
contain it
 # Call the ApplicationPropertiesFileTransformer on the same file with 
AesGcmSensitivePropertyProvider

Migration from an old key to a new root key works without extra parameters. It 
is read from the old bootstrap.conf if exists.

 

> [MiNiFi] Encrypt MiNiFi bootstrap.conf properties
> -------------------------------------------------
>
>                 Key: NIFI-12501
>                 URL: https://issues.apache.org/jira/browse/NIFI-12501
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: MiNiFi
>            Reporter: Ferenc Erdei
>            Assignee: Ferenc Erdei
>            Priority: Major
>              Labels: minifi-java
>
> Currently, there is no way to encrypt sensitive properties in bootstrap.conf 
> and in the generated minifi.properties file.
> The goal of this story is to make it possible to encrypt sensitive property 
> values in the bootstrap configuration file, and the generated 
> minifi.properties file also should contain only encrypted values.
>  * The supported encryption provider should be AES/GCM.
>  * The encryption key can be defined in the minifi.bootstrap.sensitive.key 
> property
>  * We should provide a tool(minifi-toolkit-encrypt-config) to encrypt the 
> bootstrap.conf properties, we can use the nifi-toolkit-encrypt-config as an 
> inspiration
> Make sure that the solution works with change ingestors and c2 protocol as 
> well



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to