Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-3714

Encrypt config tool replaces wrong key/value pair with encrypted value and exposes plain sensitive value

    XMLWordPrintableJSON

Details

    Description

      In testing the encrypted provenance repository key management system, I found an issue where the $ ./bin/encrypt-config.sh command can encrypt the correct sensitive value but replace the wrong key/value pair in the encrypted nifi.properties file.

      Example:

      Existing nifi.properties

      nifi.provenance.repository.implementation=org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository
nifi.provenance.repository.debug.frequency=1_000_000
nifi.provenance.repository.encryption.key.provider.implementation=org.apache.nifi.provenance.StaticKeyProvider
nifi.provenance.repository.encryption.key.provider.location=
nifi.provenance.repository.encryption.key.id=Key1
nifi.provenance.repository.encryption.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
nifi.sensitive.props.additional.keys=nifi.provenance.repository.encryption.key

      After running ./bin/encrypt-config.sh -b conf/bootstrap.conf -n conf/nifi.properties -k AAAABBBBCCCCDDDDEEEEFFFF00001111AAAABBBBCCCCDDDDEEEEFFFF00001111

      # Provenance Repository Properties
nifi.provenance.repository.implementation=org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository
nifi.provenance.repository.debug.frequency=1_000_000
nifi.provenance.repository.encryption.key=aYDkDKys1ENr3gp+||sTBPpMlIvHcOLTGZlfWct8r9RY8BuDlDkoaYmGJ/9m9af9tZIVzcnDwvYQAaIKxRGF7vI2yrY7Xd6x9GTDnWGiGiRXlaP458BBMMgfzH2O8
nifi.provenance.repository.encryption.key.protected=aes/gcm/256
nifi.provenance.repository.encryption.key.provider.location=
nifi.provenance.repository.encryption.key.id=Key1
nifi.provenance.repository.encryption.key=0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210
nifi.sensitive.props.additional.keys=nifi.provenance.repository.encryption.key

      When it should be

      # Provenance Repository Properties
nifi.provenance.repository.implementation=org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository
nifi.provenance.repository.debug.frequency=1_000_000
nifi.provenance.repository.encryption.key.provider.implementation=org.apache.nifi.provenance.StaticKeyProvider
nifi.provenance.repository.encryption.key.provider.location=
nifi.provenance.repository.encryption.key.id=Key1
nifi.provenance.repository.encryption.key=aYDkDKys1ENr3gp+||sTBPpMlIvHcOLTGZlfWct8r9RY8BuDlDkoaYmGJ/9m9af9tZIVzcnDwvYQAaIKxRGF7vI2yrY7Xd6x9GTDnWGiGiRXlaP458BBMMgfzH2O8
nifi.provenance.repository.encryption.key.protected=aes/gcm/256
nifi.sensitive.props.additional.keys=nifi.provenance.repository.encryption.key

      I verified (using a test fixture) that the cipher text is the correct encryption of 0123456789ABCDEFFEDCBA98765432100123456789ABCDEFFEDCBA9876543210 with a random IV (Base64-encoded and embedded in the cipher text as aYDkDKys1ENr3gp+ and the key AAAABBBBCCCCDDDDEEEEFFFF00001111AAAABBBBCCCCDDDDEEEEFFFF00001111. It does not appear to be an issue with the encryption but with the replacement logic.

      Attachments

        Issue Links

          is fixed by

          Improvement - An improvement or enhancement to an existing feature or task. NIFI-12243 Refactor encrypt-config Command Implementation

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              exceptionfactory David Handermann
              alopresto Andy LoPresto
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: