question Re: NIFI Sensitive Property doesn't appear to work in v1.4.0? in Archives of Support Questions (Read Only)

NIFI Sensitive Property doesn't appear to work in v1.4.0?

sonnychee — Tue, 06 Mar 2018 10:37:26 GMT

To whom it may concern:

I am attempting to encrypt sensitive processor properties with the following snippet from my nifi.properties file:

nifi.sensitive.props.key=1756eb0b-4eb3-46d6-98a4-a350b46c7459
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=my_secret

I restarted Nifi but the value of the my_secret attribute remains unencrypted in flow.xml.gz. I've modified the value of my_secret several times but it is still saved in cleartext.

Any help with this would be greatly appreciated.

In addition, does anyone know what the value of "BC" means for the

nifi.sensitive.props.provider key? Equivalently, anyone know where I can get a list of default sensitive properties?

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

MattWho — Tue, 06 Mar 2018 22:59:11 GMT

@Sonny Chee

The "nifi.sensitive.props.additional.keys" property in the nifi.properties file allows you to specify additional properties from the nifi.properties file for encryption. Only processors properties that have been specifically coded as sensitive will be encrypted. Users can not define additional processor properties themselves for encryption.

Sorry that the documentation is a bit confusing on this property.

As far as "BC" goes, it stands for Bouncy Castle.

https://www.bouncycastle.org/

Thank you,

Matt

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

sonnychee — Wed, 07 Mar 2018 00:49:44 GMT

Thanks for the detailed response, @Matt Clarke.

In addition to flow.xml.gz, can I assume that sensitive properties will be encrypted in all locations (logs, repositories)?

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

MattWho — Wed, 07 Mar 2018 01:43:48 GMT

@Sonny Chee

Processor obscure sensitive property values. In addition, those sensitive property values are encrypted when stored in the flow.xml.gz file.

I cannot think of how those sensitive properties would even get in to the nifi logs, flowfile repo, content repo, or provenance repo. Sensitive properties are generally defined for password property fields. They are used in facilitating a connection and can see no reason why they would ever be written to the content or attributes of a FlowFile.

Is this what you were concerned about.

Thanks,

Matt

Tip: Avoid responding to an answer with another answer. Instead just add a comment to the answer you want follow-up on.

Once you find an answer that addresses your original question, please click the "accept" link below the answer.

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

sonnychee — Wed, 07 Mar 2018 01:53:12 GMT

@Matt Clarke

Yes, my requirement is to encrypt passwords at rest.

I notice that property values also appear in the database_repository/ files as well...

Re: NIFI Sensitive Property doesn't appear to work in v1.4.0?

MattWho — Wed, 07 Mar 2018 03:09:09 GMT

@Sonny Chee

I am assuming you are referring to the H2 Binary DB file nifi-flow-audit.h2.db?

In that case, properties coded as sensitive are not persisted to the H2 database. NiFi writes literally " ******** " to the H2 DB for these sensitive property values.

Thanks,

Matt