Using an encrypted passphrase or tools.properties file enables you to have credentials available for use by the server and command-line tools, but not stored in the clear. These files should be encrypted with the encrypt-file tool, including:
- Certificate keystore and truststore PIN files. When setting up an instance with encryption enabled and at least one of SSL or StartTLS enabled, the installer will automatically encrypt the PIN files for the config/keystore, config/truststore, and config/ads-truststore certificate databases.
- Passphrase files specified by command-line arguments. For example, most LDAP tools offer --bindPasswordFile, --keystorePasswordFile, and --truststorePasswordFile arguments.
- The config/tools.properties file, which will automatically be used to obtain a default set of arguments for most command-line tools. Alternately, the --propertiesFilePath argument can be used to specify an alternate properties file.
These files should be encrypted with the following considerations:
- If the file is encrypted with a key obtained from the server’s encryption settings database, then the server and associated command-line tools should be able to retrieve the appropriate key from the encryption settings database so that the clear-text contents of the file can be accessed without any interaction (although if the cipher stream provider configured to protect the contents of the encryption settings database requires interaction, like the wait for passphrase cipher stream provider, then command-line tools may require interaction to unlock the encryption settings database).
- If the file is encrypted with a passphrase that the user specifies rather than one obtained from the encryption settings database, then the user will be interactively prompted for that passphrase when running the tool. This option cannot be used for keystore and truststore PIN files that need to be accessed by the server.
To encrypt a file with the server’s preferred encryption settings definition, use a command such as:
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted
To use a key from an encryption settings definition that isn’t the default, use the --encryption-settings-id argument to specify the ID of the desired encryption settings definition (which can be obtained with cencryption-settings list), such as:
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted \ --encryption-settings-id 4B6899D6716FC3AFFD71F7B447EB135063A0E724
To encrypt the file with a passphrase rather than a key from an encryption settings definition, use either the --prompt-for-passphrase argument to interactively prompt for the passphrase, or use the --passphrase-file argument to specify the path to a file containing the clear-text passphrase. For example:
$ bin/encrypt-file --input-file password.txt \ --output-file password.txt.encrypted \ --prompt-for-passphrase