PingDirectory

Enabling data encryption in the server

Enable data encryption during server setup or after server setup.

About this task

When enabling data encryption in the server, configure for backups and LDIF exports with the following global properties.

Global property Configuration description

automatically-compress-encrypted-ldif-exports

Indicates whether to automatically compress LDIF exports that are also encrypted.

  • If set to true, any LDIF export that is encrypted, either explicitly with --encryptLDIF or implicitly with the encrypt-ldif-exports-by-default configuration property, is gzip-compressed.

  • If set to false, manually compress encrypted LDIF exports using the --compress command-line argument.

backup-encryption-settings-definition-id

The unique identifier for the encryption settings definition to use to generate the encryption key for encrypted backups by default.

  • If this property is given a value, then a definition with that ID must exist in the server’s encryption settings database.

  • If this property is not given a value, but the server is configured with at least one encryption settings definition, then the preferred definition is used.

  • If no encryption settings definitions are available, the server will use an internal key shared among servers in the topology. Regardless of this property’s value, it can be overridden with the backup command-line tool. Providing one of the --promptForEncryptionPassphrase or --encryptionPassphraseFile arguments will generate the encryption key from the provided passphrase. Or, the --encryptionSettingsDefinitionID argument can be used to generate the key from the specified encryption settings definition.

encrypt-backups-by-default

Indicates whether the server should encrypt backups by default.

  • If set to true, a defined backup-encryption-settings-definition-id value is used to generate the encryption key for the backup.

  • If this property is true, and if a backup-encryption-settings-definition-id value is not specified, the server tries to use the preferred encryption settings definition to generate the encryption key.

  • If the server is not configured with any encryption settings definitions, an internal key that is shared among instances in the topology is used.

Regardless of this property’s value, even if this property is set to false, you can overwrite it with the backup command-line tool’s --encrypt argument.

Even if this property has a value of true, the --doNotEncrypt argument always causes the backup to be unencrypted.

encrypt-ldif-exports-by-default

Indicates whether the server should encrypt LDIF exports by default.

  • If set to true, and an ldif-export-encryption-settings-definition-id value is specified, then that encryption settings definition is used to generate the encryption key for the export.

  • If this property is true, and an ldif-export-encryption-settings-definition-id value is not specified, the server first tries to use the preferred encryption settings definition to generate the encryption key.

  • If the server is not configured with any encryption settings definitions, an internal key that is shared among instances in the topology is used.

Regardless of this property’s value, you can overwrite the default behavior with the export-ldif command-line tool.

The tool’s --encryptLDIF argument always encrypts the export, and the --doNotEncryptLDIF argument always creates an unencrypted export.

Perform the following steps to enable data encryption:

Steps

  1. To enable encryption, choose from one of the following setups:

    Choose from:

    • During server setup, define an encryption key and passphrase.

    • On legacy systems or post setup, configure data encryption by having at least one encryption-settings definition available for use.

  2. Set the value of the encrypt-data global configuration property to true using the dsconfig tool.

    Example:

    $ bin/dsconfig set-global-configuration-prop --set encrypt-data:true

    Result:

    Setting the global configuration property automatically enables data encryption for all types of backends that support it, including the changelog backend and indexes, as well as for the replication server database. All subsequent write operations cause the corresponding records that are written into any of these locations to be encrypted. Any existing data remains unencrypted until it is rewritten by a write operation.

Next steps

To have existing data encrypted, export that data to LDIF and re-import it. This works for both the data backends, the changelog, and indexes.

This does not work for the replication database, so existing change records remain unencrypted until they are purged. To purge a compromised encryption settings definition, safely purge the replication database by following the steps in Dealing with a compromised encryption key.