---
title: About the encryption settings database
description: The encryption settings database is a repository that holds information for encrypting and decrypting data.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_server_administration_guide:pd_ds_encryption_settings_database
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_server_administration_guide/pd_ds_encryption_settings_database.html
revdate: September 13, 2023
section_ids:
  implementing-encryption-settings-definitions: Implementing encryption settings definitions
---

# About the encryption settings database

The encryption settings database is a repository that holds information for encrypting and decrypting data.

The database contains encryption settings definitions that specify information about the cipher transformation and encapsulate the key used for encryption and decryption. Before enabling data encryption, you must [create an encryption settings definition](pd_ds_create_encryption_settings_def.html). An encryption settings definition specifies the cipher transformation to use to encrypt the data and encapsulates the encryption key.

You can use the `encryption-settings` tool to manage the encryption settings database, including:

* Creating, deleting, exporting, and importing encryption settings definitions

* Listing the available definitions

* Indicating which definition to use for subsequent encryption operations

* Managing data encryption restrictions to impose on the server

* Freezing and unfreezing the encryption settings database

* Supplying the passphrase needed for the Wait for Passphrase cipher stream provider

For more about the `encryption-settings` tool, see [Using the encryption-settings tool](pd_ds_encryption_settings_tool.html).

## Implementing encryption settings definitions

Although the encryption settings database can have multiple encryption settings definitions, you must designate only one of them as the preferred definition. The preferred encryption settings definition is used for all subsequent encryption operations. Any existing data that has not yet been encrypted remains unencrypted until it is rewritten, such as a result of a `modify` or `modifyDN` operation, or if the data is exported to LDIF and re-imported.

If you introduce a new preferred encryption settings definition, then any existing encrypted data continues to use the previous definition until it is rewritten. If you do change the preferred encryption settings definition for the server, keep the previous definitions in the database until you have verified that no remaining data uses the older keys.