Simon's suggestion is the best out of the box solution. NiFi does not provide key storage, as that is not part of the core feature set of data flow.
If you wish to integrate with an HSM or software-defined sensitive data vault, at this time, you'll need to write that connector yourself via whatever mechanism it exposes (Java API, PKCS#11, etc.). Andy LoPresto [email protected] [email protected] PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > On Dec 18, 2016, at 11:26, Jonathan Telfer <[email protected]> wrote: > > Hi Simon > > Thanks for the quick response. I was aware of the sensitive property (already > using it for a password field) but I wasn’t aware it might be appropriate for > storing the key material for the sha256 itself. Was expecting to have to use > some kind of key store service. > > I’ll give that a try. > > Thanks > > >> On 18 Dec 2016, at 10:19, Simon Elliston Ball <[email protected]> >> wrote: >> >> This sounds like a job for sensitive properties to me. If you create a >> property on your custom processor and mark it with .senstive(true) in your >> builder, then the value stored in the flow conf will be available as a >> regular property, but encrypted on disk with a key specified in the >> nifi.properties. See >> https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GetHTTP.java#L172 >> for an example of how this works. >> >> Simon >> >> >>> On 18 Dec 2016, at 09:32, Jonathan Telfer <[email protected]> wrote: >>> >>> Hi all >>> >>> I'm currently writing a custom processor to access a non standard messaging >>> protocol. The protocol requires each call to contain an authorization >>> header signed by a sha256 hmac. >>> >>> I'm using commons HmacUtils to generate the signature, but I need advice on >>> the best way to store the secret key and make it available to the >>> processor. >>> >>> Thanks. >> >
