Understood, thanks Andy. Jonathan
On 18 December 2016 at 14:58, Andy LoPresto <[email protected]> wrote: > Simon's suggestion is the best out of the box solution. NiFi does not > provide key storage, as that is not part of the core feature set of data > flow. > > If you wish to integrate with an HSM or software-defined sensitive data > vault, at this time, you'll need to write that connector yourself via > whatever mechanism it exposes (Java API, PKCS#11, etc.). > > Andy LoPresto > [email protected] > [email protected] > PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4 BACE 3C6E F65B 2F7D EF69 > > On Dec 18, 2016, at 11:26, Jonathan Telfer <[email protected]> wrote: > > Hi Simon > > Thanks for the quick response. I was aware of the sensitive property > (already using it for a password field) but I wasn’t aware it might be > appropriate for storing the key material for the sha256 itself. Was > expecting to have to use some kind of key store service. > > I’ll give that a try. > > Thanks > > > On 18 Dec 2016, at 10:19, Simon Elliston Ball <[email protected]> > wrote: > > This sounds like a job for sensitive properties to me. If you create a > property on your custom processor and mark it with .senstive(true) in your > builder, then the value stored in the flow conf will be available as a > regular property, but encrypted on disk with a key specified in the > nifi.properties. See https://github.com/apache/nifi/blob/master/nifi-nar- > bundles/nifi-standard-bundle/nifi-standard-processors/src/ > main/java/org/apache/nifi/processors/standard/GetHTTP.java#L172 for an > example of how this works. > > Simon > > > On 18 Dec 2016, at 09:32, Jonathan Telfer <[email protected]> wrote: > > Hi all > > I'm currently writing a custom processor to access a non standard > messaging protocol. The protocol requires each call to contain an > authorization header signed by a sha256 hmac. > > I'm using commons HmacUtils to generate the signature, but I need advice > on the best way to store the secret key and make it available to the > processor. > > Thanks. > > > >
