Data encryption should be enabled when running setup, which ensures that all data added to the server is encrypted and also configures the server to automatically encrypt backups and LDIF exports.
The interactive setup process, which is started when setup is run without any arguments, guides you through the process of enabling data encryption, but if you’re using non-interactive setup or manage-profile setup, then data encryption can be enabled by providing one of the following arguments.
| Argument | Description |
|---|---|
|
|
Specifies the path to a file that contains the passphrase to use to generate the encryption settings definition that encrypt the data. If you provide the same passphrase when setting up multiple instances of the server, then each generates the same encryption settings definition, and each instance can access data encrypted by the other instances. |
|
|
Specifies the path to a file that contains one or more encryption
settings definitions to be imported into the newly created
encryption settings database. Use the
|
|
|
Indicates that the server should enable data encryption with an encryption settings definition created from a randomly generated passphrase. If you use this option to set up multiple instances, then they will not have the same encryption settings definitions, and data encrypted by one instance is not accessible on other instances unless the encryption settings definitions are synchronized across all of those instances. |
|
|
Indicates that the server should enable data encryption using the definitions from a pre-existing encryption settings database. This database can be protected with any cipher stream provider supported by the server, configured with data encryption restrictions, and frozen so that its contents are immutable. If you set up the server with a pre-existing encryption settings database, you should use the manage-profile setup tool. The server profile must meet the following requirements:
|