If the flowfile repository changes from encrypted -> unencrypted or vice-versa on startup, the application should handle the change.
- Unencrypted -> encrypted: This is handled by default for SequentialAccessWriteAheadLog -> EncryptedSequentialAccessWriteAheadLog, but RocksDBFlowFileRepository and MinimalLockingWriteAheadLog are not yet covered.
- Encrypted -> unencrypted: Detect encrypted flowfile records and change SerDeFactory logic to instantiate encrypted serde for decrypt during initial recovery only. This depends on the key(s) for the key IDs used still being available via nifi.properties.
This process may be very slow given large existing repositories, so a standalone tool should also be made available to perform this process outside of the running app.