There are two ways to accomplish this:

  • Use the encryption-settings create command on each instance with the same passphrase. Alternatively, if you’re enabling data encryption when running setup, provide the same passphrase file to each instance.
  • Create the desired definitions on one instance, export them from that instance, and import them into the other instances or provide the export file when running setup.

To export one or more encryption settings definitions, use the encryption-settings export command, which supports the following arguments.

Argument Description


A required argument that specifies the path to the export file to be written.


An optional argument that specifies the path to a file containing the passphrase to use to encrypt the contents of the export. If this is not provided, the tool interactively prompts for the passphrase. Because this passphrase is used to protect the contents of the export, it must be strong and it should not match the passphrase used to create any of the definitions.


An optional argument that can be used to explicitly specify the IDs of the definitions to include in the export. If this is not provided, then all definitions are included.


Indicates that the tool should use a legacy export format that was supported by older versions of the server. You might need to use this argument if you are exporting definitions from a newer version for import into an older version. The legacy export format can only hold a single encryption settings definition, so the --id argument must be used to specify the ID of the definition to include.

The following is an example of the command with one of the arguments included.

$ bin/encryption-settings export \
     --output-file exported-definitions.esd
Enter the PIN to use to encrypt the definition:
Re-enter the encryption PIN:
Successfully exported encryption settings data to file exported-definitions.esd.