Encrypting LDIF exports and signing LDIF files
You can encrypt data during an LDIF export and digitally sign the LDIF file.
The PingDirectory server provides features to encrypt data during an LDAP Data Interchange Format (LDIF) export using the export-ldif
--encryptLDIF
option. It also allows the encrypted LDIF file to be imported on the same instance, or another server in the same replication topology, using the import-ldif
tool. You can use a --doNotEncrypt
argument to force an LDIF export to be unencrypted even if automatic encryption is enabled. The --maxMegabytesPerSecond
argument can be used to impose a limit on the rate at which the LDIF file can be written to disk.
You can use the export-ldif
tool with the --promptForEncryptionPassphrase
, --encryptionPassphraseFile
, and --encryptionSettingsDefinitionID
arguments to specify which key to use for encrypting the export. The import-ldif tool
automatically detects encryption and compression and has --promptForEncryptionPassphrase
, --encryptionPassphraseFile
options as well.
The PingDirectory server also provides an additional argument that digitally signs the contents of the LDIF file, which ensures that the content has not been altered since the export. To digitally sign the contents of the exported LDIF file, use the export-ldif
--sign
option. To allow a signed LDIF file to be imported onto the same instance or another server in the same topology, use the import-ldif
--isSigned
option.
There is little added benefit to signing and encrypting the same data because encrypted data cannot be altered without destroying the ability to decrypt it. |
Encrypting an LDIF export
Steps
-
To encrypt the data during an export to an output LDIF file, run the
export-ldif
tool with the--encryptLDIF
option.Example:
The following command runs an offline export of the
userRoot
backend and encrypts the file when written to an output file calleddata.ldif
.$ bin/export-ldif --backendID userRoot --ldifFile /path/to/data.ldif \ --encryptLDIF
Importing an encrypted LDIF file
Use the import-ldif
tool to import an encrypted LDIF file.
About this task
You can import an encrypted LDIF file into the same instance from which it was exported or into another server in the same replication topology with that instance. You cannot import an encrypted LDIF file into a server that is not connected to the instance from which it was exported.
Steps
-
Run the
import-ldif
tool to import the encrypted LDIF file from Encrypting an LDIF export.The command imports the
data.ldif
file and decrypts the contents while overwriting the existing contents to theuserRoot
backend. The tool automatically determines encryption and compression, and it can automatically identify the correct key for exports that were encrypted with a key obtained from an encryption settings definition or an internal topology key.Example:
$ bin/import-ldif --backendID userRoot --ldifFile /path/to/data.ldif \ --overwriteExistingEntries
Signing an export
Steps
-
To digitally sign the data during an export to an output LDIF file, run the
export-ldif
tool with the–sign
option.Example:
The following command runs an offline export of the
userRoot
backend and signs the content when written to an output file calleddata.ldif
.$ bin/export-ldif --backendID userRoot \ --ldifFile /path/to/data.ldif --sign
Importing a signed LDIF file
Steps
-
To import the signed LDIF file (
data.ldif
) from Signing an export, run theimport-ldif
tool with the--isSigned
option.The tool imports the
data.ldif
file and checks the signature of the contents while overwriting the existing contents to theuserRoot
backend.The command requires the
--isSigned
option, which instructs the tool that the contents of the LDIF file are signed.Example:
$ bin/import-ldif --backendID userRoot \ --ldifFile /path/to/data.ldif \ --overwriteExistingEntries --isSigned