This is an automated email from the ASF dual-hosted git repository. kdoran pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi-registry.git
The following commit(s) were added to refs/heads/main by this push: new e6bff3d NIFIREG-427 Updated references to root key instead of master key in Admin Guide e6bff3d is described below commit e6bff3dc5929a17ce7da1acdb16ff82d7439dfbc Author: Andrew Lim <andrewlim.apa...@gmail.com> AuthorDate: Fri Oct 23 15:52:31 2020 -0400 NIFIREG-427 Updated references to root key instead of master key in Admin Guide --- .../src/main/asciidoc/administration-guide.adoc | 40 +++++++++++----------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc b/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc index 2510058..0276693 100644 --- a/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc +++ b/nifi-registry-core/nifi-registry-docs/src/main/asciidoc/administration-guide.adoc @@ -746,21 +746,21 @@ The `encrypt-config` command line tool can be used to encrypt NiFi Registry conf You can use the following command line options with the `encrypt-config` tool: - * `-h`,`--help` Show usage information (this message) - * `-v`,`--verbose` Enables verbose mode (off by default) - * `-p`,`--password <password>` Protect the files using a password-derived key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the password. - * `-k`,`--key <keyhex>` Protect the files using a raw hexadecimal key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the key. - * `--oldPassword <password>` If the input files are already protected using a password-derived key, this specifies the old password so that the files can be unprotected before re-protecting. - * `--oldKey <keyhex>` If the input files are already protected using a key, this specifies the raw hexadecimal key so that the files can be unprotected before re-protecting. - * `-b`,`--bootstrapConf <file>` The _bootstrap.conf_ file containing no master key or an existing master key. If a new password/key is specified and no output bootstrap.conf file is specified, then this file will be overwritten to persist the new master key. - * `-B`,`--outputBootstrapConf <file>` The destination _bootstrap.conf_ file to persist master key. If specified, the input _bootstrap.conf_ will not be modified. - * `-r`,`--nifiRegistryProperties <file>` The _nifi-registry.properties_ file containing unprotected config values, overwritten if no output file specified. - * `-R`,`--outputNifiRegistryProperties <file>` The destination _nifi-registry.properties_ file containing protected config values. - * `-a`,`--authorizersXml <file>` The _authorizers.xml_ file containing unprotected config values, overwritten if no output file specified. - * `-A`,`--outputAuthorizersXml <file>` The destination _authorizers.xml_ file containing protected config values. - * `-i`,`--identityProvidersXml <file>` The _identity-providers.xml_ file containing unprotected config values, overwritten if no output file specified. - * `-I`,`--outputIdentityProvidersXml <file>` The destination _identity-providers.xml_ file containing protected config values. - +* `-h`,`--help` Show usage information (this message) +* `-v`,`--verbose` Sets verbose mode (default false) +* `-p`,`--password <password>` Protect the files using a password-derived key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the password. +* `-k`,`--key <keyhex>` Protect the files using a raw hexadecimal key. If an argument is not provided to this flag, interactive mode will be triggered to prompt the user to enter the key. +* `--oldPassword <password>` If the input files are already protected using a password-derived key, this specifies the old password so that the files can be unprotected before re-protecting. +* `--oldKey <keyhex>` If the input files are already protected using a key, this specifies the raw hexadecimal key so that the files can be unprotected before re-protecting. +* `-b`,`--bootstrapConf <file>` The _bootstrap.conf_ file containing no root key or an existing root key. If a new password or key is specified (using `-p` or `-k`) and no output _bootstrap.conf_ file is specified, then this file will be overwritten to persist the new root key. +* `-B`,`--outputBootstrapConf <file>` The destination _bootstrap.conf_ file to persist root key. If specified, the input _bootstrap.conf_ will not be modified. +* `-r`,`--nifiRegistryProperties <file>` The _nifi-registry.properties_ file containing unprotected config values, overwritten if no output file specified. +* `-R`,`--outputNifiRegistryProperties <file>` The destination _nifi-registry.properties_ file containing protected config values. +* `-a`,`--authorizersXml <file>` The _authorizers.xml_ file containing unprotected config values, overwritten if no output file specified. +* `-A`,`--outputAuthorizersXml <file>` The destination _authorizers.xml_ file containing protected config values. +* `-i`,`--identityProvidersXml <file>` The _identity-providers.xml_ file containing unprotected config values, overwritten if no output file specified. +* `-I`,`--outputIdentityProvidersXml <file>` The destination _identity-providers.xml_ file containing protected config values. +* `--decrypt` Can be used with `-r` to decrypt a previously encrypted NiFi Registry Properties file. Decrypted content is printed to STDOUT. As an example of how the tool works, assume that you have installed the tool on a machine supporting 256-bit encryption and with the following existing values in the _nifi-registry.properties_ file: @@ -778,7 +778,7 @@ nifi.registry.security.truststorePasswd= Enter the following arguments when using the tool: ---- -./bin/encrypt-config.sh nifi-registry \ +./bin/encrypt-config.sh --nifiRegistry \ -b bootstrap.conf \ -k 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 \ -r nifi-registry.properties @@ -819,7 +819,7 @@ When applied to _identity-providers.xml_ or _authorizers.xml_, the property elem Additionally, the _bootstrap.conf_ file is updated with the encryption key as follows: ---- -# Master key in hexadecimal format for encrypted sensitive configuration values +# Root key in hexadecimal format for encrypted sensitive configuration values nifi.registry.bootstrap.sensitive.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 ---- @@ -828,16 +828,16 @@ To encrypt additional properties, specify them as comma-separated values in the If the _nifi-registry.properties_ file already has valid protected values and you wish to protect additional values using the -same master key already present in your _bootstrap.conf_, then run the tool without specifying a new key: +same root key already present in your _bootstrap.conf_, then run the tool without specifying a new key: ---- -# bootstrap.conf already contains master key property +# bootstrap.conf already contains root key property # nifi-registy.properties has been updated for nifi.registry.sensitive.props.additional.keys=... ./bin/encrypt-config.sh --nifiRegistry -b bootstrap.conf -r nifi-registry.properties ---- -[sensistive_property_key_migration] +[sensitive_property_key_migration] === Sensitive Property Key Migration In order to change the key used to encrypt the sensitive values, provide the new key or password using the `-k` or `-p` flags as usual,