[jira] [Updated] (NIFI-3045) Usage of -k undermines encrypted configuration
[
https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anders Breindahl updated NIFI-3045:
---
Description:
Hey,
When setting up a hardened NiFi installation I ran into this. I hope I'm
mistaken.
When running the {{encrypt-config.sh}} script, one has a
{{nifi.bootstrap.sensitive.key}} string configured in {{bootstrap.conf}}. The
service startup script makes this be passed from {{RunNifi}} to{{NiFi}} by a
{{-k}} parameter.
This however can be retrieved by any user of the interface -- which, combined
with NiFi being able to read from (the
encrypted-under-{{nifi.bootstrap.sensitive.key}}) {{nifi.properties}} file
means that e.g. the {{nifi.security.keystorePasswd}} property can be decrypted
offline.
Does this have anything to it?
was:
Hey,
When setting up a hardened NiFi installation I ran into this. I hope I'm
mistaken.
When running the `encrypt-config.sh` script, one has a
`nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The
service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k`
parameter.
This however can be retrieved by any user of the interface -- which, combined
with NiFi being able to read from (the
encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means
that e.g. the `nifi.security.keystorePasswd` property can be decrypted offline.
Does this have anything to it?
> Usage of -k undermines encrypted configuration
> --
>
> Key: NIFI-3045
> URL: https://issues.apache.org/jira/browse/NIFI-3045
> Project: Apache NiFi
> Issue Type: Bug
> Components: Configuration
>Affects Versions: 1.0.0
>Reporter: Anders Breindahl
> Labels: bootstrap, configuration, encryption, security
> Attachments: 2016-11-16_dash-ks-extraction.png,
> extract-dash-ks-from-process-list.xml
>
>
> Hey,
> When setting up a hardened NiFi installation I ran into this. I hope I'm
> mistaken.
> When running the {{encrypt-config.sh}} script, one has a
> {{nifi.bootstrap.sensitive.key}} string configured in {{bootstrap.conf}}. The
> service startup script makes this be passed from {{RunNifi}} to{{NiFi}} by a
> {{-k}} parameter.
> This however can be retrieved by any user of the interface -- which, combined
> with NiFi being able to read from (the
> encrypted-under-{{nifi.bootstrap.sensitive.key}}) {{nifi.properties}} file
> means that e.g. the {{nifi.security.keystorePasswd}} property can be
> decrypted offline.
> Does this have anything to it?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (NIFI-3045) Usage of -k undermines encrypted configuration
[ https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andy LoPresto updated NIFI-3045: Labels: bootstrap configuration encryption security (was: ) > Usage of -k undermines encrypted configuration > -- > > Key: NIFI-3045 > URL: https://issues.apache.org/jira/browse/NIFI-3045 > Project: Apache NiFi > Issue Type: Bug > Components: Configuration >Affects Versions: 1.0.0 >Reporter: Anders Breindahl > Labels: bootstrap, configuration, encryption, security > Attachments: 2016-11-16_dash-ks-extraction.png, > extract-dash-ks-from-process-list.xml > > > Hey, > When setting up a hardened NiFi installation I ran into this. I hope I'm > mistaken. > When running the `encrypt-config.sh` script, one has a > `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The > service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` > parameter. > This however can be retrieved by any user of the interface -- which, combined > with NiFi being able to read from (the > encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means > that e.g. the `nifi.security.keystorePasswd` property can be decrypted > offline. > Does this have anything to it? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (NIFI-3045) Usage of -k undermines encrypted configuration
[ https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andy LoPresto updated NIFI-3045: Affects Version/s: 1.0.0 > Usage of -k undermines encrypted configuration > -- > > Key: NIFI-3045 > URL: https://issues.apache.org/jira/browse/NIFI-3045 > Project: Apache NiFi > Issue Type: Bug > Components: Configuration >Affects Versions: 1.0.0 >Reporter: Anders Breindahl > Labels: bootstrap, configuration, encryption, security > Attachments: 2016-11-16_dash-ks-extraction.png, > extract-dash-ks-from-process-list.xml > > > Hey, > When setting up a hardened NiFi installation I ran into this. I hope I'm > mistaken. > When running the `encrypt-config.sh` script, one has a > `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The > service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` > parameter. > This however can be retrieved by any user of the interface -- which, combined > with NiFi being able to read from (the > encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means > that e.g. the `nifi.security.keystorePasswd` property can be decrypted > offline. > Does this have anything to it? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (NIFI-3045) Usage of -k undermines encrypted configuration
[ https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andy LoPresto updated NIFI-3045: Component/s: Configuration > Usage of -k undermines encrypted configuration > -- > > Key: NIFI-3045 > URL: https://issues.apache.org/jira/browse/NIFI-3045 > Project: Apache NiFi > Issue Type: Bug > Components: Configuration >Affects Versions: 1.0.0 >Reporter: Anders Breindahl > Labels: bootstrap, configuration, encryption, security > Attachments: 2016-11-16_dash-ks-extraction.png, > extract-dash-ks-from-process-list.xml > > > Hey, > When setting up a hardened NiFi installation I ran into this. I hope I'm > mistaken. > When running the `encrypt-config.sh` script, one has a > `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The > service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` > parameter. > This however can be retrieved by any user of the interface -- which, combined > with NiFi being able to read from (the > encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means > that e.g. the `nifi.security.keystorePasswd` property can be decrypted > offline. > Does this have anything to it? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (NIFI-3045) Usage of -k undermines encrypted configuration
[ https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Andy LoPresto updated NIFI-3045: Description: Hey, When setting up a hardened NiFi installation I ran into this. I hope I'm mistaken. When running the `encrypt-config.sh` script, one has a `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` parameter. This however can be retrieved by any user of the interface -- which, combined with NiFi being able to read from (the encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means that e.g. the `nifi.security.keystorePasswd` property can be decrypted offline. Does this have anything to it? was: Hey, When setting up a hardened NiFi installation I ran into this. I hope I'm mistaken. When running the `encrypt-config.sh` script, one has a `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` parameter. This however can be retrieved by any user of the interface---which, combined with NiFi being able to read from (the encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means that e.g. the `nifi.security.keystorePasswd` property can be decrypted offline. Does this have anything to it? > Usage of -k undermines encrypted configuration > -- > > Key: NIFI-3045 > URL: https://issues.apache.org/jira/browse/NIFI-3045 > Project: Apache NiFi > Issue Type: Bug >Reporter: Anders Breindahl > Attachments: 2016-11-16_dash-ks-extraction.png, > extract-dash-ks-from-process-list.xml > > > Hey, > When setting up a hardened NiFi installation I ran into this. I hope I'm > mistaken. > When running the `encrypt-config.sh` script, one has a > `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The > service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` > parameter. > This however can be retrieved by any user of the interface -- which, combined > with NiFi being able to read from (the > encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means > that e.g. the `nifi.security.keystorePasswd` property can be decrypted > offline. > Does this have anything to it? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (NIFI-3045) Usage of -k undermines encrypted configuration
[ https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anders Breindahl updated NIFI-3045: --- Attachment: extract-dash-ks-from-process-list.xml Simple template listing the process list of the local system. > Usage of -k undermines encrypted configuration > -- > > Key: NIFI-3045 > URL: https://issues.apache.org/jira/browse/NIFI-3045 > Project: Apache NiFi > Issue Type: Bug >Reporter: Anders Breindahl > Attachments: extract-dash-ks-from-process-list.xml > > > Hey, > When setting up a hardened NiFi installation I ran into this. I hope I'm > mistaken. > When running the `encrypt-config.sh` script, one has a > `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The > service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` > parameter. > This however can be retrieved by any user of the interface---which, combined > with NiFi being able to read from (the > encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means > that e.g. the `nifi.security.keystorePasswd` property can be decrypted > offline. > Does this have anything to it? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (NIFI-3045) Usage of -k undermines encrypted configuration
[ https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anders Breindahl updated NIFI-3045: --- Attachment: 2016-11-16_dash-ks-extraction.png Attached: screenshot of the same. > Usage of -k undermines encrypted configuration > -- > > Key: NIFI-3045 > URL: https://issues.apache.org/jira/browse/NIFI-3045 > Project: Apache NiFi > Issue Type: Bug >Reporter: Anders Breindahl > Attachments: 2016-11-16_dash-ks-extraction.png, > extract-dash-ks-from-process-list.xml > > > Hey, > When setting up a hardened NiFi installation I ran into this. I hope I'm > mistaken. > When running the `encrypt-config.sh` script, one has a > `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The > service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` > parameter. > This however can be retrieved by any user of the interface---which, combined > with NiFi being able to read from (the > encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means > that e.g. the `nifi.security.keystorePasswd` property can be decrypted > offline. > Does this have anything to it? -- This message was sent by Atlassian JIRA (v6.3.4#6332)
