The server supports the ability to encrypt log files as they are written. The encrypt-log configuration property controls whether encryption will be enabled for the logger. Enabling encryption causes the log file to have an .encrypted extension (and if both encryption and compression are enabled, the extension will be .gz.encrypted). Any change that affects the name used for the log file could prevent older files from getting properly cleaned up.
Like compression, encryption can only be enabled when the logger is created.
Encryption cannot be turned on or off once the logger is configured. For any log
file that is encrypted, enabling compression is also recommended to reduce the
amount of data that needs to be encrypted. This will also reduce the overall size of
the log file. The encrypt-file tool (or custom code, using the
used to access the encrypted data.
To enable encryption, at least one encryption settings definition must be defined in
the server. Use the one created during setup, or create a new one with the
encryption-settings create command. By default, the
encryption will be performed with the server's preferred encryption settings
definition. To explicitly specify which definition should be used for the
encryption-settings-definition-id property can be
set with the ID of that definition. It is recommended that the encryption settings
definition is created from a passphrase so that the file can be decrypted by
providing that passphrase, even if the original encryption settings definition is no
longer available. A randomly generated encryption settings definition can also be
created, but the log file can only be decrypted using a server instance that has
that encryption settings definition.
When using encrypted logging, a small amount of data may remain in an in-memory buffer until the log file is closed. The encryption is performed using a block cipher, and it cannot write an incomplete block of data until the file is closed. This is not an issue for any log file that is not being actively written. To examine the contents of a log file that is being actively written, use the rotate-log tool to force the file to be rotated before attempting to examine it.
The following commands can be used to set log file encryption:
Use dsconfig to enable encryption for a Log Publisher. In
this example, the File-basedAccess Log Publisher "Encrypted Access" is created,
compression is set, and rotation and retention policies are set.
$ bin/dsconfig create-log-publisher-prop --publisher-name "Encrypted Access" \ --type file-based-access \ --set enabled:true \ --set compression-mechanism:gzip \ --set encryption-settings-definition- id:332C846EF0DCD1D5187C1592E4C74CAD33FC1E5FC20B726CD301CDD2B3FFBC2B \ --set encrypt-log:true \ --set log-file:logs/encrypted-access \ --set "rotation-policy:24 Hours Time Limit Rotation Policy" \ --set "rotation-policy:Size Limit Rotation Policy" \ --set "retention-policy:File Count Retention Policy" \ --set "retention-policy:Free Disk Space Retention Policy" \ --set "retention-policy:Size Limit Retention Policy"
To decrypt and decompress the file:
$ bin/encrypt-file --decrypt \ --decompress-input \ --input-file logs/encrypted-access.20180216040332Z.gz.encrypted \ --output-file decrypted-access Initializing the server's encryption framework...DoneWriting decrypted data to file '/ds/PingDirectory/decrypted-access' using a key generated from encryption settings definition '332c846ef0dcd1d5187c1592e4c74cad33fc1e5fc20b726cd301cdd2b3ffbc2b'Success fully wrote 123,456,789 bytes of decrypted data