You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by GitBox <gi...@apache.org> on 2019/07/20 05:19:12 UTC
[GitHub] [nifi] natural opened a new pull request #3594: NIFI-3833 Support
for Encrypted Flow File Repositories
natural opened a new pull request #3594: NIFI-3833 Support for Encrypted Flow File Repositories
URL: https://github.com/apache/nifi/pull/3594
### Description of PR
The code in this change-set enables support for encrypted flow file repositories.
Specifically, this change-set enables transparent encrypted data processing by way of the `CipherInputStream` and `CipherOutputStream` classes. The classes `HashMapSnapshot` and `LengthDelimitedJournal` have been updated to use these stream classes for transparent encryption and decryption.
To activate this behavior on this branch, include changes similar to this in your properties:
`nifi.flowfile.repository.encryrption.key.1=cc6c009687afef32269a93a5d0232e38`
#### Discussion
This approach uses the Bouncy Castle `CipherInputStream` and `CipherOutptStream` with an `AEADBlockCipher` configured for stream encryption. This means:
- flow file data is encrypted as it is writen
- flow file data is decrypted as it is read
- streams written to disk are incomplete until the stream is closed; MACs are written at the end of the stream
- streams read from disk are be verified against tampering and corruption
The effect of this implementation is to ignore data that cannot be verified; under high load scenarios, for example, using this encryption method will result in increased data loss.
### For all changes:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
- [x] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
- [x] Has your PR been rebased against the latest commit within the target branch (typically `master`)?
- [x] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._
### For code changes:
- [x] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder?
- [x] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`?
- [ ] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`?
- [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties?
### For documentation related changes:
- [x] Have you ensured that format looks appropriate for the output in which it is rendered?
### Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services