You should re-encrypt sensitive information after you rotate the configuration encryption keys.

To re-encrypt sensitive configuration information:

  1. Stop the PingFederate console node.
  2. Run the configkeymgr utility on the console node:
    • If PingFederate is running on Windows, open a command prompt, go to <pf_install>/pingfederate/bin, and run configkeymgr.bat.
    • If PingFederate is running on Linux, open a terminal window, go to <pf_install>/pingfederate/bin, and run

    The utility displays its usage help.

  3. Run the reencrypt command.

    The utility offers optional arguments for the reencrypt command.

    For example, to perform a dry run of the reencrypt command in a Linux environment, enter the following command.

    ./ --reencrypt --dry-run
  4. Restart the PingFederate console node.
  5. If PingFederate is running in a cluster:
    1. Replicate the configuration to the engine nodes.
    2. Run the configkeymgr utility on the engine nodes to re-encrypt data that is not included in the replication archive, such as sensitive data defined in the file.

      You can run the utility on engine nodes without stopping them.