Setting up the server in FIPS 140-2-compliant mode requires that you enable data encryption.
Configure the server with at least one encryption settings definition. Choose
- If you want the server to generate an encryption settings definition from a passphrase
that you provide, use the
--encryptDataWithPassphraseFromFileargument to specify the path to a file containing that passphrase.Note:
If you provide the same passphrase to each instance, they will generate the same encryption settings definition and will encrypt data in the same way. Also, in many cases, if you know the passphrase used to generate an encryption settings definition, you can use that passphrase to decrypt encrypted data even if the encryption settings definition isn't available.
- If you have one or more encryption settings definitions that have been exported from
- Use the
--encryptDataWithSettingsImportedFromFileargument to specify the path to that export file.
- Provide the
--encryptionSettingsExportPassphraseFileargument to specify the path to a file containing the passphrase used to protect the contents of that export.
- Use the
- If you want the server to generate an encryption settings definition with a randomly
generated passphrase, use the
If you use this argument when setting up multiple instances, then each instance will have a different encryption settings definition, and data encrypted on one instance might not be accessible to other instances. However, you can use it when setting up the first instance in a topology and then export the generated definition and use the
--encryptDataWithSettingsImportedFromFileargument to import it when setting up additional instances.
Because the random passphrase the server generated when creating the definition will not be exposed, you can't use it to decrypt data if that encryption settings definition is not available.
- If you want the server to generate an encryption settings definition from a passphrase that you provide, use the