--- title: Crypto Manager description: The Crypto Manager provides a common interface for performing compression, decompression, hashing, encryption and other kinds of cryptographic operations. component: pingds version: 8.1 page_id: pingds:configref:objects-crypto-manager canonical_url: https://docs.pingidentity.com/pingds/8.1/configref/objects-crypto-manager.html section_ids: dependencies: Dependencies crypto_manager_properties: Crypto Manager properties basic_properties: Basic properties key-manager-provider: key-manager-provider key-wrapping-transformation: key-wrapping-transformation master-key-alias: master-key-alias signing-key-alias: signing-key-alias advanced_properties: Advanced properties cipher-key-length: cipher-key-length cipher-transformation: cipher-transformation digest-algorithm: digest-algorithm key-wrapping-mode: key-wrapping-mode mac-algorithm: mac-algorithm mac-key-length: mac-key-length --- # Crypto Manager The Crypto Manager provides a common interface for performing compression, decompression, hashing, encryption and other kinds of cryptographic operations. ## Dependencies Crypto Managers depend on the following objects: * [Key Manager Provider](objects-key-manager-provider.html) ## Crypto Manager properties You can use configuration expressions to set property values at startup time. For details, see [Property value substitution](expressions.html). | Basic Properties | Advanced Properties | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [key-manager-provider](#key-manager-provider) [key-wrapping-transformation](#key-wrapping-transformation) [master-key-alias](#master-key-alias) [signing-key-alias](#signing-key-alias) | [cipher-key-length](#cipher-key-length) [cipher-transformation](#cipher-transformation) [digest-algorithm](#digest-algorithm) [key-wrapping-mode](#key-wrapping-mode) [mac-algorithm](#mac-algorithm) [mac-key-length](#mac-key-length) | ### Basic properties Use the `--advanced` option to access advanced properties. ### key-manager-provider | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | The name of the key manager containing the master key-pair and any deprecated master key. | | *Description* | The master key, which is identified using the "master-key-alias" property, will be used for encrypting secrets that are generated and distributed across the deployment. Master keys may be periodically rotated, but should never be removed from the referenced key manager because they may still be needed for decryption. The alias must correspond to a PrivateKeyEntry in the keystore and is typically an RSA key-pair. | | *Default value* | None | | *Allowed values* | The name of an existing [key-manager-provider](objects-key-manager-provider.html).The referenced key manager provider must be enabled. | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### key-wrapping-transformation | | | | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | The preferred key wrapping transformation for the directory server. This value must be the same for all server instances in a replication topology. | | *Default value* | RSA/ECB/OAEPWITHSHA-256ANDMGF1PADDING | | *Allowed values* | The key wrapping transformation. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | NoneChanges to this property will take effect immediately but will only affect cryptographic operations performed after the change. | | *Advanced* | No | | *Read-only* | No | ### master-key-alias | | | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | The alias of the master key-pair which should be used for encrypting secrets that are generated and distributed across the deployment. | | *Description* | Master keys may be periodically rotated, but should never be removed from the referenced key manager because they may still be needed for decryption. The master key alias reference a PrivateKeyEntry in the keystore which is typically an RSA key-pair. | | *Default value* | None | | *Allowed values* | A string. | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### signing-key-alias | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | The alias of the key-pair which should be used to generate data signatures. | | *Description* | Signing keys may be periodically rotated, but should never be removed from the referenced key manager because they may still be needed for signature verification. The signing key alias references a PrivateKeyEntry in the keystore which is typically an RSA key-pair. | | *Default value* | None | | *Allowed values* | A string. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ## Advanced properties Use the `--advanced` option to access advanced properties. ### cipher-key-length | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the key length in bits for the preferred cipher. | | *Default value* | 128 | | *Allowed values* | An integer.Lower limit: 0. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change. | | *Advanced* | Yes | | *Read-only* | No | ### cipher-transformation | | | | ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the cipher for the directory server using the syntax algorithm/mode/padding. | | *Description* | The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms do not have a mode or padding, hence the fields must be specified using NONE as mode and NoPadding as padding. For example, ChaCha20/NONE/NoPadding. | | *Default value* | AES/CBC/PKCS5Padding | | *Allowed values* | The cipher transformation. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change. | | *Advanced* | Yes | | *Read-only* | No | ### digest-algorithm | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the preferred message digest algorithm for the directory server. | | *Default value* | SHA-256 | | *Allowed values* | A string. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | NoneChanges to this property take effect immediately and only affect cryptographic operations performed after the change. | | *Advanced* | Yes | | *Read-only* | No | ### key-wrapping-mode | | | | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Defines which crypto operation to use to wrap symmetric keys for storage. | | *Description* | Symmetric keys are wrapped either by direct encryption or by using the wrap cipher mode, depending on the configured crypto provider capabilities or key type. | | *Default value* | encrypt | | *Allowed values* | * encrypt: Use the cipher ENCRYPT mode to wrap symmetric keys * wrap: Use the cipher WRAP mode to wrap symmetric keys | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | Yes | | *Read-only* | No | ### mac-algorithm | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the preferred MAC algorithm for the directory server. | | *Default value* | HmacSHA256 | | *Allowed values* | A string. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change. | | *Advanced* | Yes | | *Read-only* | No | ### mac-key-length | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the key length in bits for the preferred MAC algorithm. | | *Default value* | 128 | | *Allowed values* | An integer.Lower limit: 0. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change. | | *Advanced* | Yes | | *Read-only* | No |