Encrypting LDIF exports
Each backup is essentially an archive that includes all of the necessary database files. It can be quickly restored in a PingDirectory server if the need arises, but the data is not accessible for any other purpose.
LDIF is a standard plain-text representation of LDAP data. While it might take somewhat longer to import data from an LDIF file than it does to restore a backup, the PingDirectory server can generally import entries at a very high rate. Because LDIF is a standard format, the data can be easily parsed with a wide variety of libraries (including the UnboundID LDAP SDK for Java) or viewed in a text editor. It is also highly compressible, and a gzipped LDIF file can take up substantially less space than a backup (which includes additional data beyond the entries, like indexes and database structure). As such, there are compelling reasons to use LDIF exports as a backup mechanism instead of or in addition to backup archives. However, because it is a plain-text format, it is essential that LDIF exports be encrypted to prevent their content from being readily available to anyone who gains access to them.
The encrypt-ldif-exports-by-default
property in the global configuration can automatically encrypt LDIF exports by default. The ldif-export-encryption-settings-definition-id
property can specify the encryption settings definition to protect the data, or the server can fall back to using the preferred definition. Further, the automatically-compress-encrypted-ldif-exports
property can be used to compress the data as it is encrypted for substantial space savings.
If the global configuration is not set up to encrypt LDIF exports by default, or if you want to encrypt the data with a different key, the export-ldif
tool provides the following arguments which are largely the same as those offered by the backup tool:
-
--encryptLDIF
-
--promptForEncryptionPassphrase
-
--encryptionPassphraseFile
-
--encryptionSettingsDefinitionID
-
--doNotEncrypt
When importing an LDIF file, the server can automatically determine whether the data is encrypted or compressed, and if the file was encrypted with a key from the encryption settings database, the encryption header includes the ID of the definition that was used. However, if the LDIF data was encrypted with a passphrase rather than an encryption settings definition, then one of the following arguments can be used to provide that passphrase:
-
--promptForEncryptionPassphrase
-
--encryptionPassphraseFile