Overview
MiNiFi can encrypt sensitive values in its configuration files in three ways:
- Encrypt the value of sensitive settings in the
minifi.properties
file; - Encrypt the value of sensitive properties in the
config.yml
flow definition file; - Encrypt the entire contents of the
config.yml
file as a whole.
In all three cases, the security of the encryption depends on the security of the bootstrap.conf
file, which contains the encryption key.
Vocabulary
- minifi home: the directory which contains MiNiFi configuration files (in the
conf
subdirectory), as well as the logs and other files used by MiNiFi - configuration directory: the directory
<minifi home>/conf
- properties file: the file
<minifi home>/conf/minifi.properties
- flow configuration: the file specified in the properties file with the key
nifi.flow.configuration.file
, or if not specified it defaults to<minifi home>/conf/config.yml
- bootstrap file: the file
<minifi home>/conf/bootstrap.conf
- sensitive value: all values in the properties file and the flow configuration file that we wish to encrypt
1. Encrypt sensitive values in minifi.properties
The values of sensitive settings in the properties file can be encrypted manually, using the encrypt-config
tool.
If you have a minifi.properties
file in your MiNiFi configuration directory /var/tmp/minifi-home/conf
containing the following sensitive properties:
... nifi.security.client.pass.phrase=my_pass_phrase ... nifi.rest.api.user.name=admin nifi.rest.api.password=password123 ...
you can run the encrypt-config
tool like this:
$ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home minifi-properties Generating a new encryption key... Wrote the new encryption key to /var/tmp/minifi-home/conf/bootstrap.conf Encrypted property: nifi.security.client.pass.phrase Encrypted property: nifi.rest.api.password Encrypted 2 sensitive properties in /var/tmp/minifi-home/conf/minifi.properties
which will
- Generate a new encryption key
- Create a
bootstrap.conf
file in your configuration directory, and write the encryption key to this file - Encrypt the sensitive properties using this encryption key
- Add a
something.protected
encryption marker after each encrypted property.
After running the tool, bootstrap.conf
will look like this:
nifi.bootstrap.sensitive.key=77cd3f88ab997f7ae99b13c70877c5274c3b7b495f601f290042b14e7db4d542
and minifi.properties
will look like this:
... nifi.security.client.pass.phrase=STBmfU0uk5hgSYG5O3uJM3HeZjrYJz//||vE/V65QiMgSatzScaPYkraVrpWnBExVgVX/CwyXx nifi.security.client.pass.phrase.protected=xsalsa20poly1305 ... nifi.rest.api.user.name=admin nifi.rest.api.password=q8XNjJMoVABXz7sks5O6nhaTqqRay4gF||U3762djgMVguHI6GjRl+iCCDSkIdTFzKDCXi nifi.rest.api.password.protected=xsalsa20poly1305 ...
You should protect the bootstrap.conf
file to make sure it is only readable by the user which will run MiNiFi.
Additional sensitive properties
By default, encrypt-config
will encrypt a (short) list of default sensitive properties. If you want more properties to be encrypted, you can add a nifi.sensitive.props.additional.keys
setting with a comma-separated list of additional sensitive properties to your minifi.properties
file like this:
... nifi.sensitive.props.additional.keys=nifi.rest.api.user.name,controller.socket.host,controller.socket.port ...
before running the encrypt-config
tool. The tool will then encrypt these additional properties, as well. You can also do this after you have already encrypted some properties; the tool will encrypt the additional properties using the existing encryption key, and it will leave the other, already encrypted, sensitive properties alone.
Modifying sensitive properties
If you later need to modify the value of a sensitive property which was encrypted earlier, you need to:
- Replace the encrypted value with the new, unencrypted value
- Delete the "
something.protected=..."
line which was added by the tool - Re-run the
encrypt-config
tool.
The tool will then encrypt the modified property using the existing encryption key in bootstrap.conf
, and it will leave the other, already encrypted, sensitive properties alone.
Encrypting the flow configuration
Pass the flag --encrypt-flow-config
to encrypt-config
so that it also encrypts the flow configuration file, not just the sensitive properties.
Updating the encryption key
If you want to change the encryption key, you can do so in the following way:
- If the files are already encrypted, there should be a "
nifi.bootstrap.sensitive.key=..."
line in thebootstrap.conf
file (i.e. have access to the original key), otherwise you have to manually replace all encrypted data (sensitive properties and flow configuration) with their original, unencrypted values (or some other new value) - If present, rename the "
nifi.bootstrap.sensitive.key=..."
property inbootstrap.conf
to"nifi.bootstrap.sensitive.key.old=..."
(i.e. add ".old" suffix to the property name) - If you have a specific encryption key you would like to use, add it to the
bootstrap.conf
file (add the line "nifi.bootstrap.sensitive.key=<your encryption key here>"
). If you provide no encryption key (nonifi.bootstrap.sensitive.key
property inbootstrap.conf
, or nobootstrap.conf
at all), a new key will be randomly generated and written tobootstrap.conf.
- Re-run the
encrypt-config
tool.
Take special care when changing the encryption key and the flow configuration is encrypted, so that you also re-encrypt it before deleting the old key (you will get a warning if you do not request its re-encryption).
$ cat /var/tmp/minifi-home/conf/bootstrap.conf nifi.bootstrap.sensitive.key.old=0728061a041edb09445ae4dbd95f11bd255bb0b467b8efb239e665aea5ace46b nifi.bootstrap.sensitive.key=46af2c11a3f24c8c875ab4bee65e18a75f825fc3a4e03abdc8ce49d405b0b730 $ ./bin/encrypt-config --minifi-home /var/tmp/minifi-home Old encryption key found in conf/bootstrap.conf Using the existing encryption key found in conf/bootstrap.conf Successfully decrypted property "nifi.security.client.pass.phrase" using old key. Encrypted property: nifi.security.client.pass.phrase Encrypted 1 sensitive property in conf/minifi.properties WARNING: you did not request the flow config to be updated, if it is currently encrypted and the old key is removed, you won't be able to recover the flow config.
If you forgot to specify the --encrypt-flow-config
flag, you can re-run encrypt-config
with the flag, and it will re-encrypt the flow configuration file, as well.
It is always safe to re-run encrypt-config
; if it doesn't find anything new to encrypt, it will simply not do anything.
When you have successfully re-encrypted all sensitive properties and the flow configuration file(s), you can delete the nifi.bootstrap.sensitive.key.old
line from the bootstrap file.
Automatic encryption
Specify the property nifi.flow.configuration.encrypt=true
, in the properties file to have the new flow configuration written to the disk encrypted after a flow update (originating from a C2 server). It requires that you have a conf/bootstrap.conf
in your minifi home, containing an encryption key (nifi.bootstrap.sensitive.key
). This "master key" is also used on agent startup to decrypt the flow configuration file.