Support Questions

nifier · ‎04-07-2025

Hi

We are using DecryptContentPGP(Private key) andEncryptContentPGP(Public key)

to encrypt and decrypt the file at rest, which is working fine.

This same cert is being used by multiple flows.

We are facing an issue when we have to renew this cert. since we need to restart the controller service StandardPGPPublicKeyService.

As this is being used by multiple flows, we need to stop and start all the flows.

Is there a easier way to update cert without restarting StandardPGPPublicKeyService?

Thanks

MattWho · ‎04-07-2025

@nifier

Unfortunately not. When the StandardPGPPublicKeyService Controller service is enabled, it loads the Keyring into heap memory. Only stopping will allow you to edit the "Keyring" or allow it to load an updated keyring from the "Keyring File". Likewise, and component that has been configured to use this StandardPGPPublicKeyService must be stopped whenever the Controller Service is disabled because a dependency exists between the two components and thus the components are no longer "Valid" and able to run when the controllers service is disabled. Stopping and Starting the Controller Service gives you the option to start all the dependent processors using it at same time.

You could raise an Apache NiFi Jira (https://issues.apache.org/jira/browse/NIFI) for a new feature request around the StandardPGPPublicKeyService Controller Service perhaps asking for ability to update a KeyRingFile while enabled and a specify a re-read interval for reading the KeyRingFile.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

View solution in original post

nifier · ‎04-07-2025

Thanks @MattWho for your response.

View solution in original post

MattWho · ‎04-07-2025

@nifier

Unfortunately not. When the StandardPGPPublicKeyService Controller service is enabled, it loads the Keyring into heap memory. Only stopping will allow you to edit the "Keyring" or allow it to load an updated keyring from the "Keyring File". Likewise, and component that has been configured to use this StandardPGPPublicKeyService must be stopped whenever the Controller Service is disabled because a dependency exists between the two components and thus the components are no longer "Valid" and able to run when the controllers service is disabled. Stopping and Starting the Controller Service gives you the option to start all the dependent processors using it at same time.

You could raise an Apache NiFi Jira (https://issues.apache.org/jira/browse/NIFI) for a new feature request around the StandardPGPPublicKeyService Controller Service perhaps asking for ability to update a KeyRingFile while enabled and a specify a re-read interval for reading the KeyRingFile.

Please help our community grow. If you found any of the suggestions/solutions provided helped you with solving your issue or answering your question, please take a moment to login and click "Accept as Solution" on one or more of them that helped.

Thank you,
Matt

nifier · ‎04-07-2025

Thanks @MattWho for your response.

Cloudera Community

Support Questions

PGP encryptio/decryption

Nifi PGP Encrypt and Sign

NiFi Error DecryptContent using PGP Encryption.

building a encrypt Content-like script for NiFi wi...

PGP Encryption in Apache Nifi using EncryptContent...

Re: How do I get repository credentials

Re: We need developer access to archive.cloudera.c...

HDP 2.6.1 oozie bigtop tomcat rpm error

Re: EncryptContentPGP which version gpg

Re: NIFI::Decryption::encrypted message contains a...

Flafka selector doesn't work