As we learned in the article Apache NiFi Sensitive Properties: All you need to know about how the sensitive properties are stored and how they are encrypted/decrypted. We came to understand that the encryption key is stored in file. This is not a very good and secure setup to have. In this article, we will learn how to secure the encryption key/password in the properties file.

If you are not familiar with the concept of sensitive properties in Apache NiFi, I would suggest going through the previous article Apache NiFi Sensitive Properties: All you need to know

In order to facilitate this secure setup. We can use the same encrypt-config utility from nifi-toolkit in order to encrypt the sensitive keys in properties file. These values will be stored in encrypted form in the properties file and then decrypted in memory on startup/bootstrap.

1. Apache NiFi Toolkit (encrypt-config)

To encrypt files we will use the command line utility which reads the the file then prompts for a master password and finally using this master password encrypt all the sensitive properties in the file. Encrypt utility can wither overwrite the old file with new or can write a completely new file depending on the parameters passed.

2. Using the toolkit and utility

Let us assume we have the file similar to the screenshot below: file before encryption file before encryption

The nifi.sensitive.props.key in the above screenshot have value in plaintext testPassword which is not a very secure way of storing the encryption key in the same file which is used to set all other properties and is accessible by almost everyone.

Execute the following command to encrypt the values in the file: -b /path/to/bootstrap.conf/file -k 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 -n /path/to/

The parameters passed are:

  • -b: Path to the bootstrap.conf file of Apache NiFi
  • -k: Master encryption key which will be used to encrypt and decrypt the strings
  • -n: Path to file
Running utility

Running utility

Note the second last entry (underlined in the screenshot above) which indicate that the sensitive properties are successfully encrypted and the properties file is updated successfully.

Upon successful completion, file will be overwritten with encrypted properties as shown in the screenshot below:

Encrypted NiFi Sensitive Properties

Encrypted NiFi Sensitive Properties

Note: By default, AES/GCM 128/256 bit algorithm is used for encryption, 128 bit will be used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are not installed and 256 bit will be used if installed.

In the screenshot above, the value of nifi.sensitive.props.key is encrypted now and the algorithm used is also mentioned as the value of nifi.sensitive.props.key.protected which is aes/gcm/256 in this case as 256 bit algorithm is available on this system.

Besides this, bootstrap.conf file will also be modified and the master key with which all the sensitive properties are encrypted will be stored in the configuration file as a hexadecimal value as shown in the screenshot below.

bootstrap.conf with master encryption/decryption key

bootstrap.conf with master encryption/decryption key

On startup, master key from bootstrap.conf will be used to first decrypt sensitive value from the properties file into memory for later use. The access to the bootstrap.conf file should be restricted to secure the master password even further.

3. Conclusion

In this article, we looked at one more use of the utility provided as a part of nifi-toolkit. We learnt that file store the encryption key used for securing the sensitive properties in the flows is stored as a plaintext value by default which is not much secure. We also learned how to make it more secure by encrypting the keys/password in nifi.propeties file and how the master key is stored and used for decrypting the Nifi properties on startup.

If you found this article useful and would like to read other Apache NiFi related articles, feel free to go through the following related articles:

For more updates from us, don’t forget to subscribe to the newsletter and follow us on social media.



Enter your email address below to subscribe to our newsletter.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.