Encryption can be enabled during server setup, by defining an encryption key and
passphrase. This configuration should be used across all servers in a topology. On
legacy systems or post setup, data encryption can be configured by having at least one
encryption-settings definition available for use. Then, set the value of the
encrypt-data global configuration property to true.
Setting the global configuration property will automatically enable data encryption for all types of backends that support it (including the changelog backend and indexes), as well as for the replication server database. All subsequent write operations will cause the corresponding records written into any of these locations to be encrypted. Any existing data will remain unencrypted until it is rewritten by a write operation. If you wish to have existing data encrypted, then you will need to export that data to LDIF and re-import it. This will work for both the data backends, the changelog, and indexes, but it is not an option for the replication database, so existing change records will remain unencrypted until they are purged. If this is not considered acceptable in your environment, then follow the steps in Dealing with a Compromised Encryption Key to safely purge the replication database.
Configuration for backups and LDIF exports can be done with the following global properties:
- automatically-compress-encrypted-ldif-exports. Indicates whether to automatically compress LDIF exports that are also encrypted. If set to true, any LDIF export that is encrypted (either explicitly with --encryptLDIF,or implicitly with the encrypt-ldif-exports-by-default configuration property) will automatically be gzip-compressed. If this is false, encrypted LDIF exports can still be manually compressed using the --compress command-line argument.
- backup-encryption-settings-definition-id. The unique identifier for the encryption settings definition to use to generate the encryption key for encrypted backups by default. If this property is given a value, then a definition with that ID must exist in the server's encryption settings database. If this property is not given a value, but the server is configured with at least one encryption settings definition, then the preferred definition is used. If no encryption settings definitions are available, the server will use an internal key shared among servers in the topology. Regardless of this property's value, it can be overridden with the backup command-line tool. Providing one of the --promptForEncryptionPassphrase or --encryptionPassphraseFile arguments will generate the encryption key from the provided passphrase. Or, the --encryptionSettingsDefinitionID argument can be used to generate the key from the specified encryption settings definition.
- encrypt-backups-by-default. Indicates whether the server should encrypt backups by default. If set to true, a defined backup-encryption-settings-definition-id value will be used to generate the encryption key for the backup. If this property is true, and if a backup-encryption-settings-definition-id value is not specified, the server will try to use the preferred encryption settings definition to generate the encryption key. If the server is not configured with any encryption settings definitions, an internal key that is shared among instances in the topology is used. Regardless of this property's value, it can be overridden with the backup command-line tool's --encrypt argument, even if this property is set to false. The --doNotEncrypt argument will always cause the backup to be unencrypted, even if this property has a value of true.
- encrypt-ldif-exports-by-default. Indicates whether the server should encrypt LDIF exports by default. If set to true, and an ldif-export-encryption-settings-definition-id value is specified, then that encryption settings definition is used to generate the encryption key for the export. If this property is true, and an ldif-export-encryption-settings-definition-id value is not specified, the server will first try to use the preferred encryption settings definition to generate the encryption key. If the server is not configured with any encryption settings definitions, then an internal key that is shared among instances in the topology is used. Regardless of this property's value, the default behavior can be overridden with the export-ldif command-line tool. The tool's --encryptLDIF argument will always encrypt the export, and the --doNotEncryptLDIF argument will always create an unencrypted export.
Use dsconfig to set the global configuration property for data
encryption to true.
$ bin/dsconfig set-global-configuration-prop --set encrypt-data:true