---
title: Configuring password encryption
description: You must follow this procedure when synchronizing passwords from a PingDirectory server to Active Directory (AD), or when synchronizing clear text passwords.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdatasync_server_administration_guide:pd_sync_config_password_encryption
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdatasync_server_administration_guide/pd_sync_config_password_encryption.html
revdate: January 22, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  next-steps: Next steps
---

# Configuring password encryption

You must follow this procedure when synchronizing passwords from a PingDirectory server to Active Directory (AD), or when synchronizing clear text passwords.

## About this task

These steps aren't required for the following scenarios:

* Synchronizing from AD to a PingDirectory server

* Excluding password synchronization

## Steps

1. On the PingDirectory server that will receive the password modifications, enable the Change Log Password Encryption component. The component intercepts password modifications, encrypts the password and adds an encrypted attribute, `ds-changelog- encrypted-password`, to the change log entry. The encryption key can be copied from the output if displayed, or accessed from the `<serverroot>/bin/sync-pipe-cfg.txt` file.

   ```shell
   $ bin/dsconfig set-plugin-prop --plugin-name "Changelog Password
   Encryption" \
     --set enabled:true \
     --set changelog-password-encryption-key:<key>
   ```

2. On PingDataSync, set the decryption key used to decrypt the user password value in the change log entries. The key allows the user password to be synchronized to other servers that do not use the same password storage scheme.

   ```shell
   $ bin/dsconfig set-global-sync-configuration-prop \
     --set changelog-password-decryption-key:ej5u9e39pqo68
   ```

## Next steps

Test the configuration or populate data in the destination servers using the [bulk comparison capability of the resync tool](pd_sync_pds_operations.html#bulk_resync). Then, use the `realtime-sync` tool to start synchronizing the data. If synchronizing passwords, install the Password Sync Agent (PSA) on all of the domain controllers in the topology.

|   |                                                                                                                                                 |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------- |
|   | To synchronize passwords from PingDirectory to AD, you must use the `realtime-sync` tool. The `resync` tool isn't supported for this operation. |