[jira] [Commented] (NIFI-12501) [MiNiFi] Encrypt MiNiFi bootstrap.conf properties

Mon, 11 Dec 2023 08:28:05 -0800 


    [ 
https://issues.apache.org/jira/browse/NIFI-12501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17795430#comment-17795430
 ] 

David Handermann commented on NIFI-12501:
-----------------------------------------

Thanks for the reply [~ferdei]. Regarding the items you listed:

If you are leveraging the existing nifi-property-protection-cipher module, then 
supporting both sizes is fine as it is already implemented. If there are any 
new implementations, then simply restricting the supported options to AES-GCM 
256 would be better and more straightforward.

Regarding the key or password option, it is a bit confusing in the current 
implementation. I recommend only supporting one option or the other. In other 
words, it should require either a key, or a password from which to derive a 
key. The key derivation function in the existing command uses the scrypt 
algorithm, which is good, but it is only additional layer of complexity. It 
would be simpler to require a key of an exact size. Even better, using Java 
SecureRandom to generate a key without any user input seems like the best 
approach, and avoids some of the complexity of the existing implementation.


> [MiNiFi] Encrypt MiNiFi bootstrap.conf properties
> -------------------------------------------------
>
>                 Key: NIFI-12501
>                 URL: https://issues.apache.org/jira/browse/NIFI-12501
>             Project: Apache NiFi
>          Issue Type: Improvement
>          Components: MiNiFi
>            Reporter: Ferenc Erdei
>            Assignee: Ferenc Erdei
>            Priority: Major
>              Labels: minifi-java
>
> Currently, there is no way to encrypt sensitive properties in bootstrap.conf 
> and in the generated minifi.properties file.
> The goal of this story is to make it possible to encrypt sensitive property 
> values in the bootstrap configuration file, and the generated 
> minifi.properties file also should contain only encrypted values.
>  * The supported encryption provider should be AES/GCM.
>  * The encryption key can be defined in the minifi.bootstrap.sensitive.key 
> property
>  * We should provide a tool(minifi-toolkit-encrypt-config) to encrypt the 
> bootstrap.conf properties, we can use the nifi-toolkit-encrypt-config as an 
> inspiration
> Make sure that the solution works with change ingestors and c2 protocol as 
> well



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to