You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@nifi.apache.org by Devin Fisher <de...@perfectsearchcorp.com> on 2016/08/18 17:33:41 UTC
nifi.sensitive.props.key from external source
We are looking to deploy nifi as part of an appliance. Normally, we use
etckeeper [1] to maintain, track and backup our configuration across the
board. Etckeeper puts configuration files into a git repo. I would like to
store nifi configuration in the same way but I'm concerned about storing
the sensitive properties key there along with the flow.xml.gz. I would like
to store that key somewhere else and load it in at start up time. Any
thoughts on how that could be done. Ultimately, I just want is to not back
up the key with the flow.xml.gz (which has the encrypted data). That way if
someone gets a hold of the backup it would not trivial to decrypt the
sensitive data in flow.xml.gz.
I thought I might be able to do this by adding a custom java.arg to the
bootstrap.conf that would point to an environment variable.
Something like:
java.arg.99=-Dnifi.sensitive.props.key=$NIFI_SENSITIVE_PROPS_KEY
But I'm not sure if System properties can stand in for nifi.perperies
values and if the boot loader launches nifi in such a way to use
environment variables.
[1] https://github.com/joeyh/etckeeper
Re: nifi.sensitive.props.key from external source
Posted by Andy LoPresto <al...@gmail.com>.
Devin,
I am working on a PR to support this. I hope to have it completed by tomorrow.
NIFI-1831 has a description of the task, PR 834 has my current changes.
Andy LoPresto
alopresto@apache.org
alopresto.apache@gmail.com
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69
> On Aug 18, 2016, at 10:33, Devin Fisher <de...@perfectsearchcorp.com> wrote:
>
> We are looking to deploy nifi as part of an appliance. Normally, we use
> etckeeper [1] to maintain, track and backup our configuration across the
> board. Etckeeper puts configuration files into a git repo. I would like to
> store nifi configuration in the same way but I'm concerned about storing
> the sensitive properties key there along with the flow.xml.gz. I would like
> to store that key somewhere else and load it in at start up time. Any
> thoughts on how that could be done. Ultimately, I just want is to not back
> up the key with the flow.xml.gz (which has the encrypted data). That way if
> someone gets a hold of the backup it would not trivial to decrypt the
> sensitive data in flow.xml.gz.
>
> I thought I might be able to do this by adding a custom java.arg to the
> bootstrap.conf that would point to an environment variable.
>
> Something like:
> java.arg.99=-Dnifi.sensitive.props.key=$NIFI_SENSITIVE_PROPS_KEY
>
> But I'm not sure if System properties can stand in for nifi.perperies
> values and if the boot loader launches nifi in such a way to use
> environment variables.
>
>
> [1] https://github.com/joeyh/etckeeper