The server supports the ability to encrypt log files as they are written.
The encrypt-log configuration property controls whether encryption will be enabled for
the logger. Enabling encryption causes the log file to have an .encrypted extension (and
if both encryption and compression are enabled, the extension will be
.gz.encrypted
). Any change that affects the name used for the log
file could prevent older files from getting properly cleaned up.
Like compression, encryption can only be enabled when the logger is created. Encryption
cannot be turned on or off once the logger is configured. For any log file that is
encrypted, enabling compression is also recommended to reduce the amount of data that
needs to be encrypted. This will also reduce the overall size of the log file. The
encrypt-file
tool (or custom code, using the LDAP SDK's
com.unboundid.util.PassphraseEncryptedInputStream
) is used to
access the encrypted data.
To enable encryption, at least one encryption settings definition must be defined in the
server. Use the one created during setup, or create a new one with the
encryption-settings
create command. By default, the encryption will
be performed with the server's preferred encryption settings definition. To explicitly
specify which definition should be used for the encryption, the
encryption-settings-definition-id
property can be set with the ID
of that definition. It is recommended that the encryption settings definition is created
from a passphrase so that the file can be decrypted by providing that passphrase, even
if the original encryption settings definition is no longer available. A randomly
generated encryption settings definition can also be created, but the log file can only
be decrypted using a server instance that has that encryption settings definition.
When using encrypted logging, a small amount of data may remain in an in-memory buffer
until the log file is closed. The encryption is performed using a block cipher, and it
cannot write an incomplete block of data until the file is closed. This is not an issue
for any log file that is not being actively written. To examine the contents of a log
file that is being actively written, use the rotate-log
tool to force
the file to be rotated before attempting to examine it.