--- title: Configuring data encryption restrictions description: The PingDirectory server supports several data encryption restrictions that make it harder for unauthorized individuals to access data in an unencrypted form. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_config_encryption_restrictions canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_config_encryption_restrictions.html revdate: July 4, 2024 section_ids: about-this-task: About this task steps: Steps example: Example: --- # Configuring data encryption restrictions The PingDirectory server supports several data encryption restrictions that make it harder for unauthorized individuals to access data in an unencrypted form. ## About this task | | | | - | ---------------------------------------------------------------------------------------- | | | By default, none of the available data encryption restrictions are active in the server. | ## Steps * To configure data encryption restrictions, use the `encryption-settings set-data-encryption-restrictions` command with one of the following arguments. | Arguments | Description | | ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `--add-restriction ` | Activates the specified encryption restriction in the server. You can provide this argument multiple times with a single command to add multiple restrictions. | | `--remove-restriction ` | Removes the specified encryption restriction from the server. You can provide this argument multiple times with a single command to remove multiple restrictions. | | `--remove-all-restrictions` | Removes any data encryption restrictions that are currently in place. | | `--add-all-restrictions` | Activates all supported data encryption restrictions that are not already active. | ### Example: ```shell $ bin/encryption-settings set-data-encryption-restrictions \ --add-all-restrictions ``` After the successful completion of the previous command, you receive a message like the following: ``` Successfully updated the set of active data encryption restrictions. The updated set of active data encryption restrictions is: * prevent-disabling-data-encryption. * prevent-changing-cipher-stream-provider. * prevent-encryption-settings-export. * prevent-unencrypted-ldif-export. * prevent-passphrase-encrypted-ldif-export. * prevent-unencrypted-backup. * prevent-passphrase-encrypted-backup. * prevent-decrypt-file. ``` * To determine which data encryption restrictions are active in the server, use the `encryption-settings get-data-encryption-restrictions` command. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you are defining data encryption restrictions in the server, freeze the encryption settings database so that these restrictions cannot be modified by anyone without the appropriate passphrase. For more information, see [Freezing the encryption settings database](../pingdirectory_security_guide/pd_ds_freezing_encryption_settings_database.html). |