Support Questions

sonnychee · ‎03-06-2018

To whom it may concern:

I am attempting to encrypt sensitive processor properties with the following snippet from my nifi.properties file:

nifi.sensitive.props.key=1756eb0b-4eb3-46d6-98a4-a350b46c7459
nifi.sensitive.props.key.protected=
nifi.sensitive.props.algorithm=PBEWITHMD5AND256BITAES-CBC-OPENSSL
nifi.sensitive.props.provider=BC
nifi.sensitive.props.additional.keys=my_secret

I restarted Nifi but the value of the my_secret attribute remains unencrypted in flow.xml.gz. I've modified the value of my_secret several times but it is still saved in cleartext.

Any help with this would be greatly appreciated.

In addition, does anyone know what the value of "BC" means for the

nifi.sensitive.props.provider key? Equivalently, anyone know where I can get a list of default sensitive properties?

MattWho · ‎03-06-2018

@Sonny Chee

The "nifi.sensitive.props.additional.keys" property in the nifi.properties file allows you to specify additional properties from the nifi.properties file for encryption. Only processors properties that have been specifically coded as sensitive will be encrypted. Users can not define additional processor properties themselves for encryption.

Sorry that the documentation is a bit confusing on this property.

As far as "BC" goes, it stands for Bouncy Castle.

https://www.bouncycastle.org/

Thank you,

Matt

View solution in original post

MattWho · ‎03-06-2018

@Sonny Chee

The "nifi.sensitive.props.additional.keys" property in the nifi.properties file allows you to specify additional properties from the nifi.properties file for encryption. Only processors properties that have been specifically coded as sensitive will be encrypted. Users can not define additional processor properties themselves for encryption.

Sorry that the documentation is a bit confusing on this property.

As far as "BC" goes, it stands for Bouncy Castle.

https://www.bouncycastle.org/

Thank you,

Matt

MattWho · ‎03-06-2018

@Sonny Chee

Processor obscure sensitive property values. In addition, those sensitive property values are encrypted when stored in the flow.xml.gz file.

I cannot think of how those sensitive properties would even get in to the nifi logs, flowfile repo, content repo, or provenance repo. Sensitive properties are generally defined for password property fields. They are used in facilitating a connection and can see no reason why they would ever be written to the content or attributes of a FlowFile.

Is this what you were concerned about.

Thanks,

Matt

Tip: Avoid responding to an answer with another answer. Instead just add a comment to the answer you want follow-up on.

Once you find an answer that addresses your original question, please click the "accept" link below the answer.

sonnychee · ‎03-06-2018

@Matt Clarke

Yes, my requirement is to encrypt passwords at rest.

I notice that property values also appear in the database_repository/ files as well...

MattWho · ‎03-06-2018

@Sonny Chee

I am assuming you are referring to the H2 Binary DB file nifi-flow-audit.h2.db?

In that case, properties coded as sensitive are not persisted to the H2 database. NiFi writes literally " ******** " to the H2 DB for these sensitive property values.

Thanks,

Matt

sonnychee · ‎03-06-2018

Thanks for the detailed response, @Matt Clarke.

In addition to flow.xml.gz, can I assume that sensitive properties will be encrypted in all locations (logs, repositories)?

Cloudera Community

Support Questions

NIFI Sensitive Property doesn't appear to work in v1.4.0?