By default, setup generates a strong, random passphrase that it writes to a file, and the server uses a file-based cipher stream provider to read the passphrase from that file and use it to generate a key used to encrypt the contents of the encryption settings database. However, the server supports additional cipher stream providers that can use alternative means for unlocking the encryption settings database. Options include:

  • Require a passphrase to be interactively provided when the server is started, or any time an external process needs access to the encryption settings database.
  • Use a key stored in the Amazon Key Management Service (KMS).
  • Use a key stored in a HashiCorp Vault instance

It is also possible to use the Server SDK to create cipher stream providers that use custom logic to protect the contents of the encryption settings database.

If you want to configure the server to use a different cipher stream provider, first ensure that the desired cipher stream provider is defined and enabled in the configuration and then update the global configuration to use that cipher stream provider to protect the encryption settings database. You should do this with the server online so that it can automatically re-encrypt the encryption settings database with the new key.

For example, to configure the server to use the Amazon KMS cipher stream provider, first define the cipher stream provider as appropriate in the server configuration using a change as in the following example.

dsconfig create-cipher-stream-provider \
     --provider-name "Amazon KMS" \
     --type amazon-key-management-service \
     --set enabled:true \
     --set "aws-access-key-id:[KMS_ACCESS_KEY_ID]" \
     --set "aws-secret-access-key:[KMS_SECRET_ACCESS_KEY]" \
     --set "kms-encryption-key-arn:[KMS_KEY_ARN]"

Then, update the global configuration to use the new cipher stream provider.

dsconfig set-global-configuration-prop \
     --set "encryption-settings-cipher-stream-provider:Amazon KMS"

See the use-the-amazon-kms-cipher-stream-provider.dsconfig and use-the-vault-cipher-stream-provider.dsconfig batch files in the config/sample-dsconfig-batch-files directory for more information about the KMS and Vault cipher stream providers.