PingDirectory

Encrypting LDIF exports and signing LDIF files

You can encrypt data during an LDIF export and digitally sign the LDIF file.

The PingDirectory server provides features to encrypt data during an LDAP Data Interchange Format (LDIF) export using the export-ldif --encryptLDIF option. It also allows the encrypted LDIF file to be imported on the same instance, or another server in the same replication topology, using the import-ldif tool. You can use a --doNotEncrypt argument to force an LDIF export to be unencrypted even if automatic encryption is enabled. The --maxMegabytesPerSecond argument can be used to impose a limit on the rate at which the LDIF file can be written to disk.

You can use the export-ldif tool with the --promptForEncryptionPassphrase, --encryptionPassphraseFile, and --encryptionSettingsDefinitionID arguments to specify which key to use for encrypting the export. The import-ldif tool automatically detects encryption and compression and has --promptForEncryptionPassphrase, --encryptionPassphraseFile options as well.

The PingDirectory server also provides an additional argument that digitally signs the contents of the LDIF file, which ensures that the content has not been altered since the export. To digitally sign the contents of the exported LDIF file, use the export-ldif --sign option. To allow a signed LDIF file to be imported onto the same instance or another server in the same topology, use the import-ldif --isSigned option.

There is little added benefit to signing and encrypting the same data because encrypted data cannot be altered without destroying the ability to decrypt it.

Encrypting an LDIF export

Steps

  • To encrypt the data during an export to an output LDIF file, run the export-ldif tool with the --encryptLDIF option.

    Example:

    The following command runs an offline export of the userRoot backend and encrypts the file when written to an output file called data.ldif.

    $ bin/export-ldif --backendID userRoot --ldifFile /path/to/data.ldif \
      --encryptLDIF

Importing an encrypted LDIF file

Use the import-ldif tool to import an encrypted LDIF file.

About this task

You can import an encrypted LDIF file into the same instance from which it was exported or into another server in the same replication topology with that instance. You cannot import an encrypted LDIF file into a server that is not connected to the instance from which it was exported.

Steps

  • Run the import-ldif tool to import the encrypted LDIF file from Encrypting an LDIF export.

    The command imports the data.ldif file and decrypts the contents while overwriting the existing contents to the userRoot backend. The tool automatically determines encryption and compression, and it can automatically identify the correct key for exports that were encrypted with a key obtained from an encryption settings definition or an internal topology key.

    Example:

    $ bin/import-ldif --backendID userRoot --ldifFile /path/to/data.ldif \
      --overwriteExistingEntries

Signing an export

Steps

  • To digitally sign the data during an export to an output LDIF file, run the export-ldif tool with the –sign option.

    Example:

    The following command runs an offline export of the userRoot backend and signs the content when written to an output file called data.ldif.

    $ bin/export-ldif --backendID userRoot \
      --ldifFile /path/to/data.ldif --sign

Importing a signed LDIF file

Steps

  • To import the signed LDIF file (data.ldif) from Signing an export, run the import-ldif tool with the --isSigned option.

    The tool imports the data.ldif file and checks the signature of the contents while overwriting the existing contents to the userRoot backend.

    The command requires the --isSigned option, which instructs the tool that the contents of the LDIF file are signed.

    Example:

    $ bin/import-ldif --backendID userRoot \
      --ldifFile /path/to/data.ldif \
      --overwriteExistingEntries --isSigned