The following commands can be used to set log file encryption.

  1. Use dsconfig to enable encryption for a Log Publisher.
    In this example, the FilebasedAccess Log Publisher "Encrypted Access" is created, compression is set, and rotation and retention policies are set.
    $ bin/dsconfig create-log-publisher-prop --publisher-name "Encrypted Access" \
      --type file-based-access \
      --set enabled:true \
      --set compression-mechanism:gzip \
      --set encryption-settings-definitionid:332C846EF0DCD1D5187C1592E4C74CAD33FC1E5FC20B726CD301CDD2B3FFBC2B \
      --set encrypt-log:true \
      --set log-file:logs/encrypted-access \
      --set "rotation-policy:24 Hours Time Limit Rotation Policy" \
      --set "rotation-policy:Size Limit Rotation Policy" \
      --set "retention-policy:File Count Retention Policy" \
      --set "retention-policy:Free Disk Space Retention Policy" \
      --set "retention-policy:Size Limit Retention Policy"
  2. To decrypt and decompress the file:
    $ bin/encrypt-file --decrypt \
      --decompress-input \
      --input-file logs/encrypted-access.20180216040332Z.gz.encrypted \
      --output-file decrypted-access
    Initializing the server's encryption framework...DoneWriting decrypted
    data to file '/ds/PingDirectory/decrypted-access' using akey generated
    from encryption settings definition
    '332c846ef0dcd1d5187c1592e4c74cad33fc1e5fc20b726cd301cdd2b3ffbc2b'Success
    fully wrote 123,456,789 bytes of decrypted data