You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Anders Breindahl (JIRA)" <ji...@apache.org> on 2016/11/16 14:57:58 UTC

[jira] [Updated] (NIFI-3045) Usage of -k undermines encrypted configuration

     [ https://issues.apache.org/jira/browse/NIFI-3045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anders Breindahl updated NIFI-3045:
-----------------------------------
    Attachment: extract-dash-ks-from-process-list.xml

Simple template listing the process list of the local system.

> Usage of -k undermines encrypted configuration
> ----------------------------------------------
>
>                 Key: NIFI-3045
>                 URL: https://issues.apache.org/jira/browse/NIFI-3045
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Anders Breindahl
>         Attachments: extract-dash-ks-from-process-list.xml
>
>
> Hey,
> When setting up a hardened NiFi installation I ran into this. I hope I'm mistaken.
> When running the `encrypt-config.sh` script, one has a `nifi.bootstrap.sensitive.key` string configured in `bootstrap.conf`. The service startup script makes this be passed from `RunNifi` to`NiFi` by a `-k` parameter.
> This however can be retrieved by any user of the interface---which, combined with NiFi being able to read from (the encrypted-under-`nifi.bootstrap.sensitive.key`) `nifi.properties` file means that e.g. the `nifi.security.keystorePasswd` property can be decrypted offline.
> Does this have anything to it?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)