PingDirectory

Using data encryption in a replicated environment

Use data encryption for on-disk storage for data within the server.

Whenever clients access stored data in the server, it’s presented in unencrypted form although the communication with those clients can itself be encrypted using SSL or StartTLS. Replication, the communication of updates between replication servers, is always encrypted using SSL. Each server can apply data encryption in a independent manner and have different sets of encryption settings definitions. It’s possible to have a replication topology containing some servers that have data encryption enabled and others with it disabled.

When initializing the backend of one server from another server with data encryption enabled, the server being initialized must have access to all encryption settings definitions that might have been used for data contained in that backend.

To do this, perform an export of the encryption settings database on the source server using bin/encryption-settings export and import it on the target server using bin/encryption-settings import.