PingDirectory

Freezing the encryption settings database

You can freeze the encryption settings database with a specified passphrase. While it is frozen, the database operates in read-only mode.

About this task

If the encryption settings database is frozen, the server can use the database for data encryption processing but will not allow any of the following:

  • Creating new encryption settings definitions

  • Importing encryption settings definitions from an exported set

  • Removing encryption settings definitions

  • Specifying which definition is preferred for new encryption operations

  • Adding or removing data encryption restrictions

To make changes to a frozen database, you must unfreeze it by providing the passphrase originally used to freeze it.

Steps

  • To freeze the encryption settings database, use the encryption-settings freeze command.

    This command supports the --passphrase-file <path> argument, which specifies the path to a file containing the passphrase to use for freezing the encryption settings database. If the argument is not provided, the encryption-settings freeze command prompts the user for the passphrase.

    Example:

    $ bin/encryption-settings freeze
    Enter the passphrase to use to freeze the encryption settings database:
    Confirm the freeze passphrase:
    Successfully froze the encryption settings database.
  • To unfreeze the encryption settings database, use the encryption-settings unfreeze command and provide the passphrase originally used to freeze the database.

    This command supports the --passphrase-file <path> argument, which specifies the path to a file containing the passphrase to use for unfreezing the encryption settings database. If this argument is not provided, the encryption-settings unfreeze command prompts the user for the passphrase.

    Example:

    $ bin/encryption-settings unfreeze
    Enter the passphrase used to freeze the encryption settings database:
    Successfully unfroze the encryption settings database.
  • To determine whether the encryption settings database is currently frozen, use the encryption-settings is-frozen command.

    This command does not require any arguments.

    Example:

    $ bin/encryption-settings is-frozen
    The encryption settings database was frozen at Mon Mar 06 22:42:10 UTC 2023.