PingDirectory

Managing data encryption in the global configuration

If data encryption is not enabled during setup, you can enable it at any time by ensuring that the server is configured with an appropriate encryption settings definition and updating the following properties in the global configuration.

Property Description

encrypt-data

Indicates whether data encryption should be enabled. Upon enablement, any writes to backends, the replication database, and the LDAP changelog are encrypted, but existing data remains unencrypted. Any unencrypted data in the replication database and LDAP changelog is eventually removed in accordance to their purging configuration, but we recommend exporting backends to LDIF and re-importing to ensure that all of the data that they contain is encrypted.

encryption-settings-cipher-stream-provider

The cipher stream provider that should be used to protect the contents of the encryption settings database. See the Configuring cipher stream providers topic for more detail.

encrypt-backups-by-default

Indicates whether any new backups that are created should automatically be encrypted with a key from the encryption settings database. If you want to create a backup that is not encrypted, then you can provide the --doNotEncrypt argument to the backup command. If you want to create a backup that is encrypted with a different key, then use one of the --promptForEncryptionPassphrase, --encryptionPassphraseFile, or --encryptionSettingsDefinitionID arguments.

backup-encryption-settings-definition-id

The ID of the encryption settings definition that is used when encrypting backups by default. If this is not specified, then the server’s preferred encryption settings definition is used.

encrypt-ldif-exports-by-default

Indicates whether any new LDIF exports that are created should be automatically encrypted with a key from the encryption settings database. As with the backup tool, the export-ldif tool offers the --doNotEncrypt, --promptForEncryptionPassphrase, --encryptionPassphraseFile, and --encryptionSettingsDefinitionID arguments to change its encryption behavior.

ldif-export-encryption-settings-definition-id

The ID of the encryption settings definition that is used when encrypting LDIF exports by default. If this is not specified, then the server’s preferred encryption settings definition is used.

automatically-compress-encrypted-ldif-exports

Indicates whether the server should automatically compress LDIF exports that are encrypted.