Enable data encryption during server setup or after server setup.
When enabling data encryption in the server, configure for backups and LDIF exports with the following global properties.
Global property | Configuration description |
---|---|
automatically-compress-encrypted-ldif-exports |
Indicates whether to automatically compress LDIF exports that are also encrypted.
|
backup-encryption-settings-definition-id |
The unique identifier for the encryption settings definition to use to generate the encryption key for encrypted backups by default.
|
encrypt-backups-by-default |
Indicates whether the server should encrypt backups by default.
Note:
Regardless of this property's value, even if this property is set to
Even if this property has a value of |
encrypt-ldif-exports-by-default |
Indicates whether the server should encrypt LDIF exports by default.
Note:
Regardless of this property's value, you can overwrite the default behavior with the export-ldif command-line tool. The tool's --encryptLDIF argument always encrypts the export, and the --doNotEncryptLDIF argument always creates an unencrypted export. |
Perform the following steps to enable data encryption:
To have existing data encrypted, export that data to LDIF and re-import it. This works for both the data backends, the changelog, and indexes.
This does not work for the replication database, so existing change records remain unencrypted until they are purged. To purge a compromised encryption settings definition, safely purge the replication database by following the steps in Dealing with a Compromised Encryption Key.