To create a new encryption-settings definition, use the create subcommand. This subcommand takes the following arguments:

  • --cipher-algorithm {algorithm}. Specifies the base cipher algorithm that should be used. This should just be the name of the algorithm (e.g., "AES", "DES", "DESede", "Blowfish", "RC4", etc.). This argument is required.
  • --cipher-transformation {transformation}. Specifies the full cipher transformation that should be used, including the cipher mode and padding algorithms (e.g., "AES/CBC/ PKCS5Padding"). This argument is optional, and if it is not provided, then the JVM-default transformation will be used for the specified cipher algorithm.
  • --key-length-bits {length}. Specifies the length of the encryption key in bits (e.g., 128). This argument is required.
  • --set-preferred. Indicates that the new encryption-settings definition should be made the preferred definition and therefore should be used for subsequent encryption operations in the server. When creating the first definition in the encryption-settings database, it will automatically be made the preferred definition.

To create an encryption-settings definition:

  • Use the encryption-settings tool with the create subcommand to specify the definition.
    $ bin/encryption-settings create --cipher-algorithm AES \
      --key-length-bits 128 --set-preferred
    Successfully created a new encryption settings definition with ID