Skip to main content
Version: v1.11.1

PR #290 changed the default NiFi sensitive algorithm from PBEWITHMD5AND256BITAES-CBC-OPENSSL to NIFI_PBKDF2_AES_GCM_256. If you have overridden the property nifi.sensitive.props.algorithm in the nifi.properties then you can ignore this guide.

Getting started

If you have overridden the default nifi.sensitive.props.algorithm, then there are no special upgrade instructions. If you have, you need to upadate the flow configuration to recalculate the sensitive value beforehand. To do so, you need to use the NiFi Encrypt-Config Tool to change the algorithm.

encrypt-config.sh -n nifi.properties -f flow.xml.gz -x -s PROPERTIES_KEY -A NIFI_PBKDF2_AES_GCM_256
encrypt-config.sh -n nifi.properties -f flow.json.gz -x -s PROPERTIES_KEY -A NIFI_PBKDF2_AES_GCM_256

Source: https://exceptionfactory.com/posts/2021/07/29/deciphering-apache-nifi-component-property-encryption/

You can do this automatically using an initContainer. To do this, you stop the operator, update the NifiCluster with this new initContainer and then upgrade and restart the operator. Finally, you can remove the initContainer.

initContainers:
- image: "apache/nifi-toolkit:latest"
name: nifi-toolkit
imagePullPolicy: Always
command:
- "sh"
- "-c"
- "NIFI_SENSITIVE_PROPS_KEY=$(grep 'nifi.sensitive.props.key' /opt/nifi/nifi-current/conf/nifi.properties | cut -d'=' -f2) && bin/encrypt-config.sh -n /opt/nifi/nifi-current/conf/nifi.properties -f /opt/nifi/data/flow.json.gz -x -A NIFI_PBKDF2_AES_GCM_256 -s $NIFI_SENSITIVE_PROPS_KEY; bin/encrypt-config.sh -n /opt/nifi/nifi-current/conf/nifi.properties -f /opt/nifi/data/flow.xml.gz -x -A NIFI_PBKDF2_AES_GCM_256 -s $NIFI_SENSITIVE_PROPS_KEY"
volumeMounts:
- name: data
mountPath: /opt/nifi/data
- name: conf
mountPath: /opt/nifi/nifi-current/conf

Adapt the volumeMounts and mountPath to your needs.