Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Encryption mechanism in NiFi 2.0

Labels:
avatar
author-rank fs_nifioneks
New Contributor

Created ‎02-18-2025 02:18 PM

Hi,

I read from the release note that the encrypt-config.sh tool from nifi-toolkit has been removed in NiFi 2.0 due to various considerations(https://issues.apache.org/jira/browse/NIFI-13414). I am wondering is there any alternatives to this tool? We heavily relied on this encrypt-config.sh tool to encrypt plain-text passwords in nifi.properties, like nifi.sensitive.props.keynifi.security.keyPasswd. Now with this tool gone, do we just have to accept the fact that plain-text passwords will remain plain-text?

Thanks in advance!!

387 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-26-2025 05:25 AM

@fs_nifioneks 

Welcome to the community.

The logic behind why the encrypt-config tools were removed in Apache NiFi 2.0 is well explained in the jira NIFI-13414 you mentioned.  I am sure that the Apache community will eventually implement other more robust options for password security.

That being said, Cloudera's Cloudera Flow Management 4.x product line is  based off Apache NiFi 2.0, but will still include the encrypt-config utility in its code base to persist the existing password encryption option until more robust options replace it.  In addition, Cloudera Flow Management also keeps many (not all) Apache NiFi components processors and controller services deprecated in the Apache NiFi 2.0 releases, as well as, includes additional components only available through Cloudera only for even more dataflow design capability and connection options.  Cloudera Flow management 4.0 is available to our licensed users as a technical preview, but a full production ready release will be coming in the near future. 

You can view the Cloudera Flow Management documentation here for the Tech Preview release:
https://docs.cloudera.com/cfm/4.0.0/index.html

These Tech preview docs do not provide a component list, but the production ready release docs will.

Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

273 Views
5 REPLIES 5

avatar
author-rank DianaTorres author-rank
Community Manager

Created ‎02-18-2025 02:19 PM

@fs_nifioneks Welcome to the Cloudera Community!

To help you get the best possible solution, I have tagged our NiFi experts @mburgess @MattWho  who may be able to assist you further.

Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

Regards,

Diana Torres,
Community Moderator

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community:
385 Views
0 Kudos

avatar
author-rank fs_nifioneks
New Contributor

Created ‎02-25-2025 08:32 AM

@DianaTorres thanks for tagging the experts,  @mburgess @MattWho any insights would be much appreciated!

309 Views
0 Kudos

avatar
author-rank Kartik_Agarwal author-rank
Master Collaborator

Created ‎02-25-2025 10:55 PM

NiFi will automatically encrypt sensitive properties (e.g., passwords) when you start the application. You can provide the plain-text values in the nifi.properties file, and NiFi will replace them with encrypted values upon startup.

You can verify the same as below.

cd /var/run/cloudera-scm-agent/process/

grep -Er nifi.security.keyPasswd

 

If you have a property like nifi.security.keyPasswd=myPassword, NiFi will encrypt it and store it in the format:

 
nifi.security.keyPasswd={aes-256-gcm}encryptedValue

If you found that the provided solution(s) assisted you with your query, please take a moment to login and click Accept as Solution below each response that helped.

288 Views

avatar
author-rank fs_nifioneks
New Contributor

Created on ‎02-26-2025 09:29 AM - edited ‎02-26-2025 09:29 AM

@Kartik_Agarwal Thanks a lot for the detailed reply. Unfortunately we are not using cloudera's product line to run NiFi. But like Matt mentioned below, so far this seems like the only viable option to achieve encryption in config files, until other solution surfaces. 

263 Views

avatar
author-rank MattWho author-rank
Master Mentor

Created ‎02-26-2025 05:25 AM

@fs_nifioneks 

Welcome to the community.

The logic behind why the encrypt-config tools were removed in Apache NiFi 2.0 is well explained in the jira NIFI-13414 you mentioned.  I am sure that the Apache community will eventually implement other more robust options for password security.

That being said, Cloudera's Cloudera Flow Management 4.x product line is  based off Apache NiFi 2.0, but will still include the encrypt-config utility in its code base to persist the existing password encryption option until more robust options replace it.  In addition, Cloudera Flow Management also keeps many (not all) Apache NiFi components processors and controller services deprecated in the Apache NiFi 2.0 releases, as well as, includes additional components only available through Cloudera only for even more dataflow design capability and connection options.  Cloudera Flow management 4.0 is available to our licensed users as a technical preview, but a full production ready release will be coming in the near future. 

You can view the Cloudera Flow Management documentation here for the Tech Preview release:
https://docs.cloudera.com/cfm/4.0.0/index.html

These Tech preview docs do not provide a component list, but the production ready release docs will.

Please help our community grow and thrive. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

274 Views
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements