Configuring data encryption restrictions

The PingDirectory server supports several data encryption restrictions that make it harder for unauthorized individuals to access data in an unencrypted form.

About this task

By default, none of the available data encryption restrictions are active in the server.

Steps

To configure data encryption restrictions, use the encryption-settings set-data-encryption-restrictions command with one of the following arguments.

Arguments Description

Arguments	Description
`--add-restriction <restriction-name>`	Activates the specified encryption restriction in the server. You can provide this argument multiple times with a single command to add multiple restrictions.
`--remove-restriction <restriction-name>`	Removes the specified encryption restriction from the server. You can provide this argument multiple times with a single command to remove multiple restrictions.
`--remove-all-restrictions`	Removes any data encryption restrictions that are currently in place.
`--add-all-restrictions`	Activates all supported data encryption restrictions that are not already active.

--add-restriction <restriction-name>

Activates the specified encryption restriction in the server. You can provide this argument multiple times with a single command to add multiple restrictions.

--remove-restriction <restriction-name>

Removes the specified encryption restriction from the server. You can provide this argument multiple times with a single command to remove multiple restrictions.

--remove-all-restrictions

Removes any data encryption restrictions that are currently in place.

--add-all-restrictions

Activates all supported data encryption restrictions that are not already active.

Example:

$ bin/encryption-settings set-data-encryption-restrictions \
    --add-all-restrictions

After the successful completion of the previous command, you receive a message like the following:

Successfully updated the set of active data encryption restrictions.

The updated set of active data encryption restrictions is:
* prevent-disabling-data-encryption.
* prevent-changing-cipher-stream-provider.
* prevent-encryption-settings-export.
* prevent-unencrypted-ldif-export.
* prevent-passphrase-encrypted-ldif-export.
* prevent-unencrypted-backup.
* prevent-passphrase-encrypted-backup.
* prevent-decrypt-file.

To determine which data encryption restrictions are active in the server, use the encryption-settings get-data-encryption-restrictions command.

If you are defining data encryption restrictions in the server, freeze the encryption settings database so that these restrictions cannot be modified by anyone without the appropriate passphrase. For more information, see Freezing the encryption settings database.