NIFI-2451 Incorporated Drew's final comments to Admin Guide.

This commit is contained in:
Andrew Lim 2016-08-24 12:46:14 -07:00 committed by Andy LoPresto
parent b9a04ea045
commit aadbbd1aa8
No known key found for this signature in database
GPG Key ID: 3C6EF65B2F7DEF69
1 changed files with 7 additions and 8 deletions

View File

@ -984,13 +984,13 @@ The `encrypt-config` command line tool (invoked as `./bin/encrypt-config.sh` or
The default encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are not installed, and 256-bit is used if they are installed. The default encryption algorithm utilized is AES/GCM 128/256-bit. 128-bit is used if the JCE Unlimited Strength Cryptographic Jurisdiction Policy files are not installed, and 256-bit is used if they are installed.
You can use the following command line options with the encrypt-config tool: You can use the following command line options with the `encrypt-config` tool:
* `-b,--bootstrapConf <arg>` The bootstrap.conf file to persist master key * `-b,--bootstrapConf <arg>` The bootstrap.conf file to persist master key
* `-h,--help` Prints this usage message * `-h,--help` Prints this usage message
* `-k,--key <arg>` The raw hexadecimal key to use to encrypt the sensitive properties (the key can be entered with spaces or '-' delimiters to assist manual entry -- these will be ignored) * `-k,--key <arg>` The raw hexadecimal key to use to encrypt the sensitive properties (the key can be entered with spaces or '-' delimiters to assist manual entry -- these will be ignored)
* `-n,--niFiProperties <arg>` The nifi.properties file containing unprotected config values (will be overwritten by default unless `-o` is provided) * `-n,--niFiProperties <arg>` The 'nifi.properties' file containing unprotected config values (will be overwritten by default unless `-o` is provided)
* `-o,--outputNiFiProperties <arg>` The destination nifi.properties file containing protected config values (will not modify input nifi.properties) * `-o,--outputNiFiProperties <arg>` The destination 'nifi.properties' file containing protected config values (will not modify input 'nifi.properties')
* `-p,--password <arg>` The password from which to derive the key to use to encrypt the sensitive properties * `-p,--password <arg>` The password from which to derive the key to use to encrypt the sensitive properties
* `-r,--useRawKey` If provided, the secure console will prompt for the raw key value in hexadecimal form * `-r,--useRawKey` If provided, the secure console will prompt for the raw key value in hexadecimal form
* `-v,--verbose` Sets verbose mode (default false) * `-v,--verbose` Sets verbose mode (default false)
@ -1058,19 +1058,18 @@ If the 'nifi.properties' file already has valid protected values, those property
Password Key Derivation Password Key Derivation
~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~
Instead of providing a 32 or 64 character raw hexadecimal key, the user can provide a password from which the key will be derived. As of 1.0.0, the password must be at least 12 characters, and the key will be derived using `SCrypt` with the parameters: Instead of providing a 32 or 64 character raw hexadecimal key, you can provide a password from which the key will be derived. As of 1.0.0, the password must be at least 12 characters, and the key will be derived using `SCrypt` with the parameters:
* `pw` -- the password bytes in `UTF-8` * `pw` -- the password bytes in `UTF-8`
* `salt` -- the fixed salt value (`NIFI_SCRYPT_SALT`) bytes in `UTF-8` _see note below_ * `salt` -- the fixed salt value (`NIFI_SCRYPT_SALT`) bytes in `UTF-8`
* `N` -- 2^16^ * `N` -- 2^16^
* `r` -- 8 * `r` -- 8
* `p` -- 1 * `p` -- 1
* `dkLen` -- determined by the JCE policies available * `dkLen` -- determined by the JCE policies available
These values are determined to be strong for this threat model in August 2016 but may change in future versions. As of August 2016, these values are determined to be strong for this threat model but may change in future versions.
_Note:_ NOTE: While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value.
While fixed salts are counter to best practices, a static salt is necessary for deterministic key derivation without additional storage of the salt value.
[[encrypt-config_secure_prompt]] [[encrypt-config_secure_prompt]]
Secure Prompt Secure Prompt