PingDirectory

Enabling data encryption during non-interactive setup

Enabling data encryption during setup provides the strongest protection for your PingDirectory server.

About this task

Enabling encryption during setup ensures that all data written to the local DB backends, the changelog, and the replication database will be encrypted. Enabling encryption during setup also ensures that directory backups and LDIF exports are encrypted by default.

If you enable encryption after setup, then only entries created or updated after enablement will be encrypted, along with their corresponding records in the LDAP changelog and replication database. Any data and indexes that existed before enabling encryption remain unencrypted. To encrypt pre-existing local DB backends, export the data to LDIF and then re-import the LDIF file. To ensure future encryption of backups and LDIF exports, set the encrypt-backups-by-default and encrypt-ldif-exports-by-default system configuration properties to true.

You can enable encryption in either interactive or non-interactive setup. For information on enabling encryption in interactive setup, see Installing the PingDirectory server in interactive mode.

To enable encryption non-interactively:

Steps

  • Run the setup command with one of the following arguments:

    Arguments Description

    --encryptDataWithRandomPassphrase

    Creates an encryption settings definition for you with a strong, randomly generated key.

    Because all instances in a topology should have the same encryption settings definitions, you should only use this argument for standalone instances or the first instance in a topology that will export its definitions to other instances.

    --encryptDataWithPassphraseFromFile

    Creates an encryption settings definition from a passphrase you specify. When using this argument, you must specify the path for the file containing the desired passphrase. If you are setting up multiple server instances, you should supply the same passphrase to ensure that definitions are consistent.

    --encryptDataWithSettingsImportedFromFile

    Imports one or more definitions from a file generated by the encryption-settings export command. When using this argument, you must specify the path for the file containing the passphrase that protects the encryption settings export.

    --encryptDataWithPreExistingEncryptionSettingsDatabase

    Uses the encryption settings definitions from an encryption settings database that was created by another server instance. For more information, see Setting up the server with an existing encryption settings database.