mirror of https://github.com/apache/nifi.git
NIFI-2451 Incorporated Drew's final comments to Admin Guide.
This commit is contained in:
parent
b9a04ea045
commit
aadbbd1aa8
|
@ -984,13 +984,13 @@ The `encrypt-config` command line tool (invoked as `./bin/encrypt-config.sh` or
|
||||||
|
|
||||||
The default encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are not installed, and 256-bit is used if they are installed.
|
The default encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are not installed, and 256-bit is used if they are installed.
|
||||||
|
|
||||||
You can use the following command line options with the encrypt-config tool:
|
You can use the following command line options with the `encrypt-config` tool:
|
||||||
|
|
||||||
* `-b,--bootstrapConf <arg>` The bootstrap.conf file to persist master key
|
* `-b,--bootstrapConf <arg>` The bootstrap.conf file to persist master key
|
||||||
* `-h,--help` Prints this usage message
|
* `-h,--help` Prints this usage message
|
||||||
* `-k,--key <arg>` The raw hexadecimal key to use to encrypt the sensitive properties (the key can be entered with spaces or '-' delimiters to assist manual entry -- these will be ignored)
|
* `-k,--key <arg>` The raw hexadecimal key to use to encrypt the sensitive properties (the key can be entered with spaces or '-' delimiters to assist manual entry -- these will be ignored)
|
||||||
* `-n,--niFiProperties <arg>` The nifi.properties file containing unprotected config values (will be overwritten by default unless `-o` is provided)
|
* `-n,--niFiProperties <arg>` The 'nifi.properties' file containing unprotected config values (will be overwritten by default unless `-o` is provided)
|
||||||
* `-o,--outputNiFiProperties <arg>` The destination nifi.properties file containing protected config values (will not modify input nifi.properties)
|
* `-o,--outputNiFiProperties <arg>` The destination 'nifi.properties' file containing protected config values (will not modify input 'nifi.properties')
|
||||||
* `-p,--password <arg>` The password from which to derive the key to use to encrypt the sensitive properties
|
* `-p,--password <arg>` The password from which to derive the key to use to encrypt the sensitive properties
|
||||||
* `-r,--useRawKey` If provided, the secure console will prompt for the raw key value in hexadecimal form
|
* `-r,--useRawKey` If provided, the secure console will prompt for the raw key value in hexadecimal form
|
||||||
* `-v,--verbose` Sets verbose mode (default false)
|
* `-v,--verbose` Sets verbose mode (default false)
|
||||||
|
@ -1058,19 +1058,18 @@ If the 'nifi.properties' file already has valid protected values, those property
|
||||||
Password Key Derivation
|
Password Key Derivation
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
Instead of providing a 32 or 64 character raw hexadecimal key, the user can provide a password from which the key will be derived. As of 1.0.0, the password must be at least 12 characters, and the key will be derived using `SCrypt` with the parameters:
|
Instead of providing a 32 or 64 character raw hexadecimal key, you can provide a password from which the key will be derived. As of 1.0.0, the password must be at least 12 characters, and the key will be derived using `SCrypt` with the parameters:
|
||||||
|
|
||||||
* `pw` -- the password bytes in `UTF-8`
|
* `pw` -- the password bytes in `UTF-8`
|
||||||
* `salt` -- the fixed salt value (`NIFI_SCRYPT_SALT`) bytes in `UTF-8` _see note below_
|
* `salt` -- the fixed salt value (`NIFI_SCRYPT_SALT`) bytes in `UTF-8`
|
||||||
* `N` -- 2^16^
|
* `N` -- 2^16^
|
||||||
* `r` -- 8
|
* `r` -- 8
|
||||||
* `p` -- 1
|
* `p` -- 1
|
||||||
* `dkLen` -- determined by the JCE policies available
|
* `dkLen` -- determined by the JCE policies available
|
||||||
|
|
||||||
These values are determined to be strong for this threat model in August 2016 but may change in future versions.
|
As of August 2016, these values are determined to be strong for this threat model but may change in future versions.
|
||||||
|
|
||||||
_Note:_
|
NOTE: While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value.
|
||||||
While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value.
|
|
||||||
|
|
||||||
[[encrypt-config_secure_prompt]]
|
[[encrypt-config_secure_prompt]]
|
||||||
Secure Prompt
|
Secure Prompt
|
||||||
|
|
Loading…
Reference in New Issue