Cipher stream providers are used to protect the keys stored in the encryption settings database.
By default, setup generates a strong, random passphrase that it writes to a file, and the server uses a file-based cipher stream provider to read the passphrase from that file and use it to generate a key used to encrypt the contents of the encryption settings database. However, the server supports additional cipher stream providers that can use alternative means for unlocking the encryption settings database. Options include:
- Require a passphrase to be interactively provided when the server is started, or any time an external process needs access to the encryption settings database.
- Use a key stored in the Amazon Key Management Service (KMS).
- Use a key stored in a HashiCorp Vault instance.
- Use a key generated from a passphrase stored in the Amazon Secrets Manager service.
- Use a key generated from a passphrase stored in the Azure Key Vault service.
- Use a key generated from a passphrase stored in a CyberArk Conjur instance.
- Use a key generated from a certificate stored in a PKCS #11 token.
It is also possible to use the Server SDK to create cipher stream providers that use custom logic to protect the contents of the encryption settings database.
If you want to configure the server to use a different cipher stream provider, first ensure that the desired cipher stream provider is defined and enabled in the configuration and then update the global configuration to use that cipher stream provider to protect the encryption settings database. You should do this with the server online so that it can automatically re-encrypt the encryption settings database with the new key.
For example, to configure the server to use the Amazon KMS cipher stream provider, first define the cipher stream provider as appropriate in the server configuration using a change as in the following example.
dsconfig create-cipher-stream-provider \ --provider-name "Amazon KMS" \ --type amazon-key-management-service \ --set enabled:true \ --set "aws-access-key-id:[KMS_ACCESS_KEY_ID]" \ --set "aws-secret-access-key:[KMS_SECRET_ACCESS_KEY]" \ --set "kms-encryption-key-arn:[KMS_KEY_ARN]"
Then, update the global configuration to use the new cipher stream provider.
dsconfig set-global-configuration-prop \ --set "encryption-settings-cipher-stream-provider:Amazon KMS"
use-the-vault-cipher-stream-provider.dsconfig batch files in the
config/sample-dsconfig-batch-files directory for more
information about the KMS and Vault cipher stream providers.