Using data encryption ensures that all future operations written to the local backends, LDAP changelog, and replication database are protected from unauthenticated sources.
Enabling data encryption after setting up the server can result in unencrypted data being stored in local DB backends, the LDAP changelog, and the replication database. You should export all local DB backends to LDIF and re-import the data after enabling encryption to ensure that all data is properly encrypted. This will also ensure that all indexes are encrypted.
To enable data encryption:
-
Use the dsconfig tool with the
set-global-configuration-prop subcommand and set one of the
following properties.
Global property Configuration description encrypt-data
Indicates whether data encryption is enabled in the server:
- If set to
true
, then subsequent writes to the local DB backends, the replication database or the LDAP changelog will be encrypted. - If set to
false
, then subsequent writes will be stored in unencrypted form.
encryption-settings-cipher-stream-provider
Indicates which cipher stream provider should be used to protect the contents of the encryption settings database. By default, an instance of the file-based cipher stream provider is used to encrypt the database with a key generated by a passphrase read from a specified file.
encrypt-backups-by-default
Indicates whether the server should encrypt backups by default:
- If set to
true
, a specified backup-encryption-settings-definition-id value is used to generate the encryption key for the backup. - If a value is not specified, the server attempts to use the preferred encryption settings definition to generate the encryption key.
- If the server is not configured with any encryption settings definitions, it uses an internal key shared across instances in the topology.
- You can override the property's value with the backup tool and either the --encrypt or --doNotEncrypt option.
backup-encryption-settings-definition-id
Specifies the unique identifier of the encryption settings definition to use in generating the encryption key:
- If this property is given a value, then a definition with that ID must exist in the server's encryption settings database.
- If this property is not given a value, but the server is configured with at least one encryption settings definition, then the preferred definition is used.
- If no encryption settings definitions are available, the server will use an internal key shared among servers in the topology.
- You can override the property's value with the
backup tool.
Using the --promptForEncryptionPassphrase or --encryptionPassphraseFile option will generate the encryption key from the provided passphrase.
The --encryptionSettingsDefinitionID option will generate the key from a specified encryption settings definition.
encrypt-ldif-exports-by-default
Indicates whether the server should encrypt LDIF exports by default:
- If set to
true
, and anldif-export-encryption-settings-definition-id
value is specified, then that encryption settings definition is used to generate the encryption key for the export. - If a value is not specified, the server first tries to use the preferred encryption settings definition to generate the encryption key.
- If the server is not configured with any encryption settings definitions, it uses an internal key shared among instances in the topology.
- You can override the property's value with the export-ldif tool and either the --encryptLDIF or --doNotEcryptLDIF option.
automatically-compress-encrypted-ldif-exports
Indicates whether to automatically compress LDIF exports that are encrypted.
If set to
true
, any LDIF export that is encrypted, either with the--encryptLDIF option or with the encrypt-ldif-exports-by-default configuration property, is gzip-compressed.$ bin/dsconfig set-global-configuration-prop --set encrypt-data:true
- If set to