The interactive setup process, which is started when setup is run without any arguments, guides you through the process of enabling data encryption, but if you’re using non-interactive setup or manage-profile setup, then data encryption can be enabled by providing one of the following arguments.

Argument Description


Specifies the path to a file that contains the passphrase to use to generate the encryption settings definition that encrypt the data. If you provide the same passphrase when setting up multiple instances of the server, then each generates the same encryption settings definition, and each instance can access data encrypted by the other instances.


Specifies the path to a file that contains one or more encryption settings definitions to be imported into the newly created encryption settings database. Use the --encryptionSettingsExportPassphraseFile argument to provide the path to a file containing the passphrase used to encrypt those definitions. If you import the same encryption settings definitions into all servers in the topology, then each instance can access data encrypted by the other instances. See the Exporting encryption settings definitions section for more information on exporting the contents of the encryption settings database.


Indicates that the server should enable data encryption with an encryption settings definition created from a randomly generated passphrase. If you use this option to set up multiple instances, then they will not have the same encryption settings definitions, and data encrypted by one instance is not accessible on other instances unless the encryption settings definitions are synchronized across all of those instances.


Indicates that the server should enable data encryption using the definitions from a pre-existing encryption settings database. This database can be protected with any cipher stream provider supported by the server, configured with data encryption restrictions, and frozen so that its contents are immutable.

If you set up the server with a pre-existing encryption settings database, you should use the manage-profile setup tool. The server profile must meet the following requirements:

  • The setup-arguments.txt file must include the --encryptDataWithPreExistingEncryptionSettingsDatabase argument.
  • The server profile must contain the server-root/pre-setup/config/encryption-settings/encryption-settings-db file, which represents the encryption settings database to use for the new server instance.
  • The pre-setup-dsconfig directory must exist and it must contain one or more dsconfig batch files with the changes needed to set up and enable the cipher stream provider to use with the encryption settings database.
  • The server-root/pre-setup directory should include any metadata files that the cipher stream provider needs to access the encryption settings database.