The PingDirectory server supports several data encryption restrictions that make it harder for unauthorized individuals to access data in an unencrypted form.
By default, none of the available data encryption restrictions are active in the server.
-
To configure data encryption restrictions, use the encryption-settings
set-data-encryption-restrictions command with one of the following
arguments.
Arguments Description --add-restriction <restriction-name>Activates the specified encryption restriction in the server. You can provide this argument multiple times with a single command to add multiple restrictions.
--remove-restriction <restriction-name>Removes the specified encryption restriction from the server. You can provide this argument multiple times with a single command to remove multiple restrictions.
--remove-all-restrictionsRemoves any data encryption restrictions that are currently in place.
--add-all-restrictionsActivates all supported data encryption restrictions that are not already active.
$ bin/encryption-settings set-data-encryption-restrictions \ --add-all-restrictionsAfter the successful completion of the previous command, you receive a message like the following:
Successfully updated the set of active data encryption restrictions. The updated set of active data encryption restrictions is: * prevent-disabling-data-encryption. * prevent-changing-cipher-stream-provider. * prevent-encryption-settings-export. * prevent-unencrypted-ldif-export. * prevent-passphrase-encrypted-ldif-export. * prevent-unencrypted-backup. * prevent-passphrase-encrypted-backup. * prevent-decrypt-file.
-
To determine which data encryption restrictions are active in the server, use
the encryption-settings get-data-encryption-restrictions
command.
Note:
If you are defining data encryption restrictions in the server, freeze the encryption settings database so that these restrictions cannot be modified by anyone without the appropriate passphrase. For more information, see Freezing the encryption settings database.