Configuring data encryption restrictions
The PingDirectory server supports several data encryption restrictions that make it harder for unauthorized individuals to access data in an unencrypted form.
About this task
By default, none of the available data encryption restrictions are active in the server. |
Steps
-
To configure data encryption restrictions, use the
encryption-settings set-data-encryption-restrictions
command with one of the following arguments.Arguments Description --add-restriction <restriction-name>
Activates the specified encryption restriction in the server. You can provide this argument multiple times with a single command to add multiple restrictions.
--remove-restriction <restriction-name>
Removes the specified encryption restriction from the server. You can provide this argument multiple times with a single command to remove multiple restrictions.
--remove-all-restrictions
Removes any data encryption restrictions that are currently in place.
--add-all-restrictions
Activates all supported data encryption restrictions that are not already active.
Example:
$ bin/encryption-settings set-data-encryption-restrictions \ --add-all-restrictions
After the successful completion of the previous command, you receive a message like the following:
Successfully updated the set of active data encryption restrictions. The updated set of active data encryption restrictions is: * prevent-disabling-data-encryption. * prevent-changing-cipher-stream-provider. * prevent-encryption-settings-export. * prevent-unencrypted-ldif-export. * prevent-passphrase-encrypted-ldif-export. * prevent-unencrypted-backup. * prevent-passphrase-encrypted-backup. * prevent-decrypt-file.
-
To determine which data encryption restrictions are active in the server, use the
encryption-settings get-data-encryption-restrictions
command.If you are defining data encryption restrictions in the server, freeze the encryption settings database so that these restrictions cannot be modified by anyone without the appropriate passphrase. For more information, see Freezing the encryption settings database.