This is need for correct working in two environment dev and prod for example.
The recommended approach would be to use NiFi Registry to promote your flow between Dev and Prod.
When using NiFi Registry you should not need to use a variable for sensitive properties, you enter the value as normal in Dev, then save to registry which removes the values, then import to prod and enter the prod password one time. After that, the value in each environment will be retained across upgrades, for example if you go back to dev and make a change and save a new version to registry, then upgrade the flow in prod, you won't have to enter the prod password again.
But what to do with processor , for example FetchFTP , after import change (version control) from DEV to PROD property: Password "No value set"
Can add pasword to variables (on processor group), but this is not secured.
Did you find a solution?
It makes sense to put a protected password field on a single processor (or controller service). The password won't be passed as an attribute along the flow.
It does not make sense to put a (protected) password into a flow attribute, because the password will be exposed.
So just make sure that your nifi/-registry is secure. Make sure that the FTP user has limit capabilities.