Setting up the server in FIPS 140-2-compliant mode requires that you enable data encryption.

  • Configure the server with at least one encryption settings definition. Choose from:
    • If you want the server to generate an encryption settings definition from a passphrase that you provide, use the --encryptDataWithPassphraseFromFile argument to specify the path to a file containing that passphrase.
      Note:

      If you provide the same passphrase to each instance, they will generate the same encryption settings definition and will encrypt data in the same way. Also, in many cases, if you know the passphrase used to generate an encryption settings definition, you can use that passphrase to decrypt encrypted data even if the encryption settings definition isn't available.

    • If you have one or more encryption settings definitions that have been exported from another instance:
      1. Use the --encryptDataWithSettingsImportedFromFile argument to specify the path to that export file.
      2. Provide the --encryptionSettingsExportPassphraseFile argument to specify the path to a file containing the passphrase used to protect the contents of that export.
    • If you want the server to generate an encryption settings definition with a randomly generated passphrase, use the --encryptDataWithRandomPassphrase argument.
      Note:

      If you use this argument when setting up multiple instances, then each instance will have a different encryption settings definition, and data encrypted on one instance might not be accessible to other instances. However, you can use it when setting up the first instance in a topology and then export the generated definition and use the --encryptDataWithSettingsImportedFromFile argument to import it when setting up additional instances.

      Because the random passphrase the server generated when creating the definition will not be exposed, you can't use it to decrypt data if that encryption settings definition is not available.