Encrypting and decrypting files - PingDirectory

Encrypting and decrypting files - PingDirectory - 10.0

PingDirectory 10.0

bundle

pingdirectory-100

ft:publication_title

PingDirectory 10.0

Product_Version_ce

PingDirectory 10.0 (Latest)

category

Product

pd-100

pingdirectory

ContentType_ce

You can use the encrypt-file tool to encrypt and decrypt files with an encryption settings definition or with a supplied passphrase.

When a file is encrypted with an encryption settings definition, the server can automatically determine that the file is encrypted, retrieve the associated definition from the encryption settings database, and use it to access the file's contents.

Encrypting a file with an encryption settings definition is useful for files containing sensitive content needed for processing. Examples include:

PIN files for certificate keys and trust stores
The tools.properties file that contains default arguments for command-line tools
Bind password files for command-line tools
Files used for file-based passphrase providers

Note:

The server does not support encrypting the configuration or schema files. It also does not support encrypting files needed by the configured cipher stream provider to access the encryption settings database.

To encrypt a file with the server's preferred encryption settings definition:

Use the encrypt-file tool.

$ bin/encrypt-file --input-file password.txt \
--output-file password.txt.encrypted

The encrypt-file tool can also decrypt the results of encrypted output files generated by the server, including encrypted backups, LDIF exports, and log files. However, this decryption cannot be performed if the prevent-decrypt-file data encryption restriction is active.

Useful arguments to use with the encrypt-file tool include.

Arguments	Description
`--input-file <path>`	Specifies the path to the file containing the plain-text data to be encrypted. If you do not provide this argument, then the data will be read from standard input.
`--output-file <path>`	Specifies the path to the file to which the encrypted data should be written.
`--decrypt`	Indicates that the data in the input file should be decrypted rather than encrypted. Use of this argument is not allowed if the `prevent-decrypt-file` data encryption restriction is enabled.
`--encryption-settings-id <id>`	Specifies the ID associated with the encryption settings definition to be used in encrypting the input file. By default, the server uses the preferred encryption settings definition.
`--prompt-for-passphrase`	Indicates that the tool should prompt the user for a passphrase to use to encrypt the file, rather than encrypting the file with an encryption settings definition. The server cannot automatically decrypt passphrase-encrypted files.
`--passphrase-file <path>`	Specifies the path to the file containing the passphrase to use to encrypt the file.
`--compress-output`	Indicates that the server should gzip-compress the output. When encrypting data, the output is compressed before it is encrypted. When decrypting data, the data is compressed after it is decrypted.
`--decompress-input`	Indicates that the input file is gzip-compressed. When decrypting data, the data is decompressed after it is decrypted.

Use the encrypt-file --help command to see a complete set of arguments supported by the encrypt-file tool.