Encrypting and decrypting files
You can use the encrypt-file
tool to encrypt and decrypt files with an encryption settings definition or with a supplied passphrase.
About this task
When a file is encrypted with an encryption settings definition, the server can automatically determine that the file is encrypted, retrieve the associated definition from the encryption settings database, and use it to access the file’s contents.
Encrypting a file with an encryption settings definition is useful for files containing sensitive content needed for processing. Examples include:
-
PIN files for certificate keys and trust stores
-
The
tools.properties
file that contains default arguments for command-line tools -
Bind password files for command-line tools
-
Files used for file-based passphrase providers
The server does not support encrypting the configuration or schema files. It also does not support encrypting files needed by the configured cipher stream provider to access the encryption settings database. |
To encrypt a file with the server’s preferred encryption settings definition:
Steps
-
Use the
encrypt-file
tool.Example:
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted
The
encrypt-file
tool can also decrypt the results of encrypted output files generated by the server, including encrypted backups, LDIF exports, and log files. However, this decryption cannot be performed if theprevent-decrypt-file
data encryption restriction is active.Useful arguments to use with the
encrypt-file
tool include.Arguments Description --input-file <path>
Specifies the path to the file containing the plain-text data to be encrypted. If you do not provide this argument, then the data will be read from standard input.
--output-file <path>
Specifies the path to the file to which the encrypted data should be written.
--decrypt
Indicates that the data in the input file should be decrypted rather than encrypted. Use of this argument is not allowed if the
prevent-decrypt-file
data encryption restriction is enabled.--encryption-settings-id <id>
Specifies the ID associated with the encryption settings definition to be used in encrypting the input file. By default, the server uses the preferred encryption settings definition.
--prompt-for-passphrase
Indicates that the tool should prompt the user for a passphrase to use to encrypt the file, rather than encrypting the file with an encryption settings definition. The server cannot automatically decrypt passphrase-encrypted files.
--passphrase-file <path>
Specifies the path to the file containing the passphrase to use to encrypt the file.
--compress-output
Indicates that the server should gzip-compress the output. When encrypting data, the output is compressed before it is encrypted. When decrypting data, the data is compressed after it is decrypted.
--decompress-input
Indicates that the input file is gzip-compressed. When decrypting data, the data is decompressed after it is decrypted.
Use the
encrypt-file --help
command to see a complete set of arguments supported by theencrypt-file
tool.