1. To enable encryption for a log publisher, use dsconfig.

    In this example, the File-based Access Log Publisher "Encrypted Access" is created, compression is set, and rotation and retention policies are set.

    $ bin/dsconfig create-log-publisher-prop --publisher-name "Encrypted Access" \
      --type file-based-access \
      --set enabled:true \
      --set compression-mechanism:gzip \
      --set encryption-settings-definition-id:332C846EF0DCD1D5187C1592E4C74CAD33FC1E5FC20B726CD301CDD2B3FFBC2B \
      --set encrypt-log:true \
      --set log-file:logs/encrypted-access \
      --set "rotation-policy:24 Hours Time Limit Rotation Policy" \
      --set "rotation-policy:Size Limit Rotation Policy" \
      --set "retention-policy:File Count Retention Policy" \
      --set "retention-policy:Free Disk Space Retention Policy" \
      --set "retention-policy:Size Limit Retention Policy"
  2. Decrypt and decompress the file.
    $ bin/encrypt-file --decrypt \
      --decompress-input \
      --input-file logs/encrypted-access.20180216040332Z.gz.encrypted \
      --output-file decrypted-access
    Initializing the server's encryption framework...Done
    Writing decrypted data to file '/ds/Data-Sync/decrypted-access' using a
    key generated from encryption settings definition '332c846ef0dcd1d5187c1592e4c74cad33fc1e5fc20b726cd301cdd2b3ffbc2b'
    Successfully wrote 123,456,789 bytes of decrypted data