PingDirectory

Enabling data encryption during setup

Data encryption should be enabled when running setup, which ensures that all data added to the server is encrypted and also configures the server to automatically encrypt backups and LDIF exports.

The interactive setup process, which is started when setup is run without any arguments, guides you through the process of enabling data encryption, but if you’re using non-interactive setup or manage-profile setup, then data encryption can be enabled by providing one of the following arguments.

Argument Description

--encryptDataWithPassphraseFromFile

Specifies the path to a file that contains the passphrase to use to generate the encryption settings definition that encrypt the data. If you provide the same passphrase when setting up multiple instances of the server, then each generates the same encryption settings definition, and each instance can access data encrypted by the other instances.

--encryptDataWithSettingsImportedFromFile

Specifies the path to a file that contains one or more encryption settings definitions to be imported into the newly created encryption settings database. Use the --encryptionSettingsExportPassphraseFile argument to provide the path to a file containing the passphrase used to encrypt those definitions. If you import the same encryption settings definitions into all servers in the topology, then each instance can access data encrypted by the other instances. See the Exporting encryption settings definitions section for more information on exporting the contents of the encryption settings database.

--encryptDataWithRandomPassphrase

Indicates that the server should enable data encryption with an encryption settings definition created from a randomly generated passphrase. If you use this option to set up multiple instances, then they will not have the same encryption settings definitions, and data encrypted by one instance is not accessible on other instances unless the encryption settings definitions are synchronized across all of those instances.

--encryptDataWithPreExistingEncryptionSettingsDatabase

Indicates that the server should enable data encryption using the definitions from a pre-existing encryption settings database. This database can be protected with any cipher stream provider supported by the server, configured with data encryption restrictions, and frozen so that its contents are immutable.

If you set up the server with a pre-existing encryption settings database, you should use the manage-profile setup tool. The server profile must meet the following requirements:

  • The setup-arguments.txt file must include the --encryptDataWithPreExistingEncryptionSettingsDatabase argument.

  • The server profile must contain the server-root/pre-setup/config/encryption-settings/encryption-settings-db file, which represents the encryption settings database to use for the new server instance.

  • The pre-setup-dsconfig directory must exist and it must contain one or more dsconfig batch files with the changes needed to set up and enable the cipher stream provider to use with the encryption settings database.

  • The server-root/pre-setup directory should include any metadata files that the cipher stream provider needs to access the encryption settings database.