Page created: 6 Nov 2019 |
Page updated: 25 Mar 2020
Use dsconfig to configure the server so that the
encryption-settings database is encrypted with a PIN contained in the file
$ bin/dsconfig create-cipher-stream-provider \ --provider-name "Encryption Settings PIN File" \ --type file-based \ --set enabled:true \ --set password-file:config/encryption-settings.pin
Use dsconfig to set the global configuration property for
the cipher stream provider, which sets the on-disk encryption.
$ bin/dsconfig set-global-configuration-prop \ --set "encryption-settings-cipher-stream-provider:Encryption Settings PIN File"
encryption-settingstool to create a new encryption-settings definition. This command automatically generates a new 256-bit encryption key for use with AES encryption, and mark it as the preferred definition for future encryption operations in the server. Note that this command will fail if you do not have the unlimited encryption strength policy installed as described in the previous section (if you do not have that policy installed, then you are restricted to a 128-bit key for AES encryption).
$ bin/encryption-settings create \ --cipher-algorithm AES \ --key-length-bits 256 \ --set-preferred
Obtain a list of the definitions in the encryption-settings database.
$ bin/encryption-settings list
You can export an encryption-settings definition from the database using a
command like the following where the encryption-settings ID should be changed as
necessary to suit your deployment:
$ bin/encryption-settings export \ --id DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 \ --output-file /tmp/exported-key \ --pin-file /tmp/exported-key.pin
If no PIN file is specified, then you will be interactively prompted to provide
it. To import an encryption-settings definition into the database on another
$ bin/encryption-settings import \ --input-file /tmp/exported-key \ --pin-file /tmp/exported-key.pin \ --set-preferred