--- title: Enabling data encryption in the server description: Using data encryption ensures that all future operations written to the local backends, LDAP changelog, and replication database are protected from unauthenticated sources. component: pingdirectory version: 11.0 page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_enable_data_encryption_server canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_enable_data_encryption_server.html revdate: September 13, 2023 section_ids: about-this-task: About this task steps: Steps example: Example: --- # Enabling data encryption in the server Using data encryption ensures that all future operations written to the local backends, LDAP changelog, and replication database are protected from unauthenticated sources. ## About this task Enabling data encryption after setting up the server can result in unencrypted data being stored in local DB backends, the LDAP changelog, and the replication database. You should export all local DB backends to LDIF and re-import the data after enabling encryption to ensure that all data is properly encrypted. This will also ensure that all indexes are encrypted. To enable data encryption: ## Steps * Use the `dsconfig` tool with the `set-global-configuration-prop` subcommand and set one of the following properties. | Global property | Configuration description | | ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `encrypt-data` | Indicates whether data encryption is enabled in the server:- If set to `true`, then subsequent writes to the local DB backends, the replication database or the LDAP changelog will be encrypted. - If set to `false`, then subsequent writes will be stored in unencrypted form. | | `encryption-settings-cipher-stream-provider` | Indicates which cipher stream provider should be used to protect the contents of the encryption settings database. By default, an instance of the file-based cipher stream provider is used to encrypt the database with a key generated by a passphrase read from a specified file. | | `encrypt-backups-by-default` | Indicates whether the server should encrypt backups by default:- If set to `true`, a specified `backup-encryption-settings-definition-id` value is used to generate the encryption key for the backup. - If a value is not specified, the server attempts to use the preferred encryption settings definition to generate the encryption key. - If the server is not configured with any encryption settings definitions, it uses an internal key shared across instances in the topology. - You can override the property's value with the `backup` tool and either the `--encrypt` or `--doNotEncrypt` option. | | `backup-encryption-settings-definition-id` | Specifies the unique identifier of the encryption settings definition to use in generating the encryption key:- If this property is given a value, then a definition with that ID must exist in the server's encryption settings database. - If this property is not given a value, but the server is configured with at least one encryption settings definition, then the preferred definition is used. - If no encryption settings definitions are available, the server will use an internal key shared among servers in the topology. - You can override the property's value with the `backup` tool.Using the `--promptForEncryptionPassphrase` or `--encryptionPassphraseFile` option will generate the encryption key from the provided passphrase.The `--encryptionSettingsDefinitionID` option will generate the key from a specified encryption settings definition. | | `encrypt-ldif-exports-by-default` | Indicates whether the server should encrypt LDIF exports by default:- If set to `true`, and an `ldif-export-encryption-settings-definition-id` value is specified, then that encryption settings definition is used to generate the encryption key for the export. - If a value is not specified, the server first tries to use the preferred encryption settings definition to generate the encryption key. - If the server is not configured with any encryption settings definitions, it uses an internal key shared among instances in the topology. - You can override the property's value with the `export-ldif` tool and either the `--encryptLDIF` or `--doNotEcryptLDIF` option. | | `automatically-compress-encrypted-ldif-exports` | Indicates whether to automatically compress LDIF exports that are encrypted.If set to `true`, any LDIF export that is encrypted, either with the`--encryptLDIF` option or with the `encrypt-ldif-exports-by-default` configuration property, is gzip-compressed. | ### Example: ```shell $ bin/dsconfig set-global-configuration-prop --set encrypt-data:true ```