Re-encrypting sensitive information with configuration encryption keys - PingFederate

Page created: 10 Dec 2021 |

Page updated: 11 Feb 2022

| 1 min read

Product PingFederate 11.0

You can use the configkeymgr command-line utility to re-encrypt sensitive configuration information and OAuth client secrets.

You should re-encrypt sensitive information after you rotate the configuration encryption keys.

To re-encrypt sensitive configuration information:

Stop the PingFederate console node.
Run the configkeymgr utility on the console node:
- If PingFederate is running on Windows, open a command prompt, go to <pf_install>/pingfederate/bin, and run configkeymgr.bat.
- If PingFederate is running on Linux, open a terminal window, go to <pf_install>/pingfederate/bin, and run configkeymgr.sh.
The utility displays its usage help.
Run the reencrypt command.

The utility offers optional arguments for the reencrypt command.
For example, to perform a dry run of the reencrypt command in a Linux environment, enter the following command.
```
./configkeymgr.sh --reencrypt --dry-run
```
Restart the PingFederate console node.
If PingFederate is running in a cluster:
1. Replicate the configuration to the engine nodes.
2. Run the configkeymgr utility on the engine nodes to re-encrypt data that is not included in the replication archive, such as sensitive data defined in the run.properties file.
  
  Note:
  You can run the utility on engine nodes without stopping them.

Re-encrypting sensitive information with configuration encryption keys - PingFederate - 11.0