PingDirectory

Encrypting and decrypting files

You can use the encrypt-file tool to encrypt and decrypt files with an encryption settings definition or with a supplied passphrase.

About this task

When a file is encrypted with an encryption settings definition, the server can automatically determine that the file is encrypted, retrieve the associated definition from the encryption settings database, and use it to access the file’s contents.

Encrypting a file with an encryption settings definition is useful for files containing sensitive content needed for processing. Examples include:

  • PIN files for certificate keys and trust stores

  • The tools.properties file that contains default arguments for command-line tools

  • Bind password files for command-line tools

  • Files used for file-based passphrase providers

The server does not support encrypting the configuration or schema files. It also does not support encrypting files needed by the configured cipher stream provider to access the encryption settings database.

To encrypt a file with the server’s preferred encryption settings definition:

Steps

  • Use the encrypt-file tool.

    Example:

    $ bin/encrypt-file --input-file password.txt \
    --output-file password.txt.encrypted

    The encrypt-file tool can also decrypt the results of encrypted output files generated by the server, including encrypted backups, LDIF exports, and log files. However, this decryption cannot be performed if the prevent-decrypt-file data encryption restriction is active.

    Useful arguments to use with the encrypt-file tool include.

    Arguments Description

    --input-file <path>

    Specifies the path to the file containing the plain-text data to be encrypted. If you do not provide this argument, then the data will be read from standard input.

    --output-file <path>

    Specifies the path to the file to which the encrypted data should be written.

    --decrypt

    Indicates that the data in the input file should be decrypted rather than encrypted. Use of this argument is not allowed if the prevent-decrypt-file data encryption restriction is enabled.

    --encryption-settings-id <id>

    Specifies the ID associated with the encryption settings definition to be used in encrypting the input file. By default, the server uses the preferred encryption settings definition.

    --prompt-for-passphrase

    Indicates that the tool should prompt the user for a passphrase to use to encrypt the file, rather than encrypting the file with an encryption settings definition. The server cannot automatically decrypt passphrase-encrypted files.

    --passphrase-file <path>

    Specifies the path to the file containing the passphrase to use to encrypt the file.

    --compress-output

    Indicates that the server should gzip-compress the output. When encrypting data, the output is compressed before it is encrypted. When decrypting data, the data is compressed after it is decrypted.

    --decompress-input

    Indicates that the input file is gzip-compressed. When decrypting data, the data is decompressed after it is decrypted.

    Use the encrypt-file --help command to see a complete set of arguments supported by the encrypt-file tool.