Using DataFlow Provenance Tools
Also available as:

How does it work?

The WriteAheadProvenanceRepository was introduced in NiFi 1.2.0 and provided a refactored and much faster provenance repository implementation than the previous PersistentProvenanceRepository. The encrypted version wraps that implementation with a record writer and reader which encrypt and decrypt the serialized bytes respectively.

The fully qualified class org.apache.nifi.provenance.EncryptedWriteAheadProvenanceRepository is specified as the provenance repository implementation in as the value of nifi.provenance.repository.implementation.


The StaticKeyProvider implementation defines keys directly in Individual keys are provided in hexadecimal encoding. The keys can also be encrypted like any other sensitive property in using the encrypt config tool tool in the NiFi Toolkit.

The following configuration section would result in a key provider with two available keys, "Key1" (active) and "AnotherKey".


The FileBasedKeyProvider implementation reads from an encrypted definition file of the format:


Each line defines a key ID and then the Base64-encoded cipher text of a 16 byte IV and wrapped AES-128, AES-192, or AES-256 key depending on the JCE policies available. The individual keys are wrapped by AES/GCM encryption using the master key defined by nifi.bootstrap.sensitive.key in conf/bootstrap.conf.

Key Rotation

Simply update to reference a new key ID in Previously-encrypted events can still be decrypted as long as that key is still available in the key definition file or<OldKeyID> as the key ID is serialized alongside the encrypted record.