--- title: Enabling data encryption during setup description: Data encryption should be enabled when running setup, which ensures that all data added to the server is encrypted and also configures the server to automatically encrypt backups and LDIF exports. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_security_guide:pd_sec_enable_data_encryption canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_enable_data_encryption.html revdate: September 13, 2023 --- # Enabling data encryption during setup Data encryption should be enabled when running setup, which ensures that all data added to the server is encrypted and also configures the server to automatically encrypt backups and LDIF exports. The interactive setup process, which is started when setup is run without any arguments, guides you through the process of enabling data encryption, but if you're using non-interactive setup or manage-profile setup, then data encryption can be enabled by providing one of the following arguments. | Argument | Description | | -------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--encryptDataWithPassphraseFromFile` | Specifies the path to a file that contains the passphrase to use to generate the encryption settings definition that encrypt the data. If you provide the same passphrase when setting up multiple instances of the server, then each generates the same encryption settings definition, and each instance can access data encrypted by the other instances. | | `--encryptDataWithSettingsImportedFromFile` | Specifies the path to a file that contains one or more encryption settings definitions to be imported into the newly created encryption settings database. Use the `--encryptionSettingsExportPassphraseFile` argument to provide the path to a file containing the passphrase used to encrypt those definitions. If you import the same encryption settings definitions into all servers in the topology, then each instance can access data encrypted by the other instances. See the Exporting encryption settings definitions section for more information on exporting the contents of the encryption settings database. | | `--encryptDataWithRandomPassphrase` | Indicates that the server should enable data encryption with an encryption settings definition created from a randomly generated passphrase. If you use this option to set up multiple instances, then they will not have the same encryption settings definitions, and data encrypted by one instance is not accessible on other instances unless the encryption settings definitions are synchronized across all of those instances. | | `--encryptDataWithPreExistingEncryptionSettingsDatabase` | Indicates that the server should enable data encryption using the definitions from a pre-existing encryption settings database. This database can be protected with any cipher stream provider supported by the server, configured with data encryption restrictions, and frozen so that its contents are immutable.If you set up the server with a pre-existing encryption settings database, you should use the `manage-profile setup` tool. The server profile must meet the following requirements:- The `setup-arguments.txt` file must include the `--encryptDataWithPreExistingEncryptionSettingsDatabase` argument. - The server profile must contain the `server-root/pre-setup/config/encryption-settings/encryption-settings-db` file, which represents the encryption settings database to use for the new server instance. - The `pre-setup-dsconfig` directory must exist and it must contain one or more `dsconfig` batch files with the changes needed to set up and enable the cipher stream provider to use with the encryption settings database. - The `server-root/pre-setup` directory should include any metadata files that the cipher stream provider needs to access the encryption settings database. |