Encrypting passphrase files
Use an encrypted passphrase or a tools.properties
file to enable the server and command-line tools to use credentials available but not store them in the clear.
About this task
Encrypt these files with the following considerations:
-
If the file is encrypted with a key obtained from the server’s encryption settings database, the server and associated command-line tools retrieve the appropriate key from the encryption settings database, so the clear-text contents of the file are accessed without any interaction. However, if the cipher stream provider configured to protect the contents of the encryption settings database requires interaction, such as the wait for passphrase cipher stream provider, then command-line tools might require interaction to unlock the encryption settings database.
-
If the file is encrypted with a passphrase that the user specifies rather than one obtained from the encryption settings database, the user is interactively prompted for that passphrase when running the tool.
Do not use this option for key store and trust store PIN files that need to be accessed by the server.
You can encrypt these files using the encrypt-file
tool and the following tools:
- Certificate keystore and truststore PIN files
-
When setting up an instance with encryption and either SSL or StartTLS enabled, the installer automatically encrypts the PIN files for the
config/keystore
,config/truststore
, andconfig/ads-truststore
certificate databases. - Command-line arguments
-
Specify passphrase files using command-line arguments. Most LDAP tools offer
--bindPasswordFile
,--keystorePasswordFile
, and--truststorePasswordFile
arguments. - The
config/tools.properties
file -
Use the
config/tools.properties
file to obtain a default set of arguments for most command-line tools. Alternately, you can use the--propertiesFilePath
argument to specify an alternate properties file.
Steps
-
Encrypt a file with the server’s preferred encryption settings definition.
Example:
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted
-
To use a key from an encryption settings definition that isn’t the default and specify the ID of the desired encryption settings definition, use the
--encryption-settings-id
argument.You can obtain the
--encryption-settings-id
withencryption-settings list
.Example:
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted \ --encryption-settings-id 4B6899D6716FC3AFFD71F7B447EB135063A0E724
-
To encrypt the file with a passphrase rather than a key from an encryption settings definition, choose one of the following options:
Choose from:
-
Use the
--prompt-for-passphrase
argument to interactively prompt for the passphrase. -
Use the
--passphrase-file
argument to specify the path to a file containing the clear-text passphrase.Example:
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted \ --prompt-for-passphrase
-