Deleting an encryption-settings definition
The encryption-settings
tool with the delete
subcommand provides a mechanism for deleting an encryption-settings definition.
About this task
If data in the server is encrypted using the settings contained in that definition, never delete an encryption-settings definition. Any data encrypted with a definition that has been removed from the database is inaccessible to the server and causes errors for any attempt to access it. This includes the replicationChanges
and Changelog Databases in which the re-encode-entries
tool does not re-encode with the new encryption-settings definition. Before removing previous encryption-settings definitions, wait for the amount of time defined in the replication-purge-delay
of the Replication Server and changelog-maximum-age
of the Changelog Backend, if enabled. To safely delete a compromised encryption-settings definition, see Dealing with a compromised encryption key.
To stop using a definition for encryption and use a different definition, make sure that the desired definition exists in the encryption-settings database and set it as the preferred definition. As long as the encryption key is not compromised, there is no harm in having old encryption-settings definitions available to the server. Retain the old encryption-settings definitions in case they are referenced by something.
The preferred encryption-settings definition cannot be deleted unless it is the only one left. To delete the currently-preferred definition when one or more other definitions are available, make one of the other definitions preferred as described in the previous section. |
To delete an encryption-settings definition:
Steps
-
To delete an encryption-settings definition, use the
encryption-settings
command with thedelete
subcommand.Make sure to include the
--id
argument to specify the definition.
Argument | Description |
---|---|
|
Specifies the ID to export for the encryption-settings definition. |
Example:
$ bin/encryption-settings delete --id F635E109A8549651025D01D9A6A90F7C9017C66D
Result:
Successfully deleted encryption settings definition F635E109A8549651025D01D9A6A90F7C9017C66D