Manage the server encryption settings database.
More information about the cipher algorithms and transformations available for use may be found in the Java Cryptography Architecture Reference Guide, as well as the Standard Algorithm Name Documentation for your chosen JDK implementation used by this server.
encryption-settings supply-passphrase
encryption-settings list
encryption-settings create --cipher-algorithm AES --key-length-bits 128 \
--prompt-for-passphrase --set-preferred
encryption-settings delete --id DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
encryption-settings export --id DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 \
--output-file /tmp/exported-key --pin-file /tmp/exported-key.pin
encryption-settings export --output-file /tmp/exported-key \
--pin-file /tmp/exported-key.pin
encryption-settings import --input-file /tmp/exported-key \
--pin-file /tmp/exported-key.pin --set-preferred
encryption-settings set-preferred --id DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
Create a new encryption settings definition for use by the server. A new random key will be generated based on the provided settings
encryption-settings create --cipher-algorithm AES --key-length-bits 128 \
--prompt-for-passphrase --set-preferred
encryption-settings create --cipher-algorithm AES \
--cipher-transformation AES/CBC/PKCS5Padding --key-length-bits 128 \
--passphrase-file passphrase-file.txt \
--description "An encryption settings definition created from a known passphrase" \
--set-preferred
-a {algorithm}
--cipher-algorithm {algorithm}
| Description | The cipher algorithm to use for encryption and decryption. This must be provided |
| Required | Yes |
| Multi-Valued | No |
-t {transformation}
--cipher-transformation {transformation}
| Description | The full cipher transformation that will be used for encryption and decryption. If this is not provided, then a default transformation will be used based on the specified cipher algorithm |
| Required | No |
| Multi-Valued | No |
-l {bits}
--key-length-bits {bits}
| Description | The length in bits of the encryption key that should be used for the encryption settings definition |
| Lower Bound | 1 |
| Required | Yes |
| Multi-Valued | No |
--prompt-for-passphrase
| Description | Interactively prompt for a passphrase that will be used to generate the encryption key. If neither the --prompt-for-passphrase nor the --passphrase-file argument is provided, then the key will be generated from a random passphrase |
--passphrase-file {path}
| Description | The path to a file containing a passphrase that will be used to generate the encryption key. If neither the --prompt-for-passphrase nor the --passphrase-file argument is provided, then the key will be generated from a random passphrase |
| Required | No |
| Multi-Valued | No |
--description {description}
| Description | A description for the encryption settings definition |
| Required | No |
| Multi-Valued | No |
-p
--set-preferred
| Description | Make the new encryption settings definition preferred for subsequent encryption operations. If the new definition is the first definition, then it will automatically be set preferred |
Delete an encryption settings definition from the server. Note that the preferred encryption settings definition may not be deleted. To delete the preferred definition, you must first set another definition as the preferred definition, and you will then be allowed to remove the previously-preferred definition. Also note that if you delete an encryption settings definition from the server, any data encrypted with that definition will become unreadable
encryption-settings delete --id DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
-i {id}
--id {id}
| Description | The identifier for the encryption settings definition to remove |
| Required | Yes |
| Multi-Valued | No |
-n
--no-prompt
| Description | Do not prompt the user for any confirmations while running |
Export an encryption settings definition from the server so that it can be imported into another server
encryption-settings export --id DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 \
--output-file /tmp/exported-key --pin-file /tmp/exported-key.pin
encryption-settings export --output-file /tmp/exported-key \
--pin-file /tmp/exported-key.pin
-i {id}
--id {id}
| Description | The identifier for the encryption settings definition to export. This may be provided multiple times to export multiple specific encryption settings definitions, or it may be omitted to indicate that all definitions should be exported |
| Required | No |
| Multi-Valued | Yes |
-o {path}
--output-file {path}
| Description | The path of the output file to which the exported encryption settings should be written |
| Required | Yes |
| Multi-Valued | No |
-W {path}
--pin-file {path}
| Description | The path of the file containing the PIN that should be used to encrypt the exported encryption settings. If this is not provided, it will be interactively requested from the user |
| Required | No |
| Multi-Valued | No |
--use-legacy-export-format
| Description | Use a legacy export format that is compatible with pre-7.0 server versions. If this argument is provided, then the --id argument must also be provided to specify exactly one encryption settings definition to export. Note that in general, it is better to import settings from an older server into a newer one rather than the other way around, and settings exported using the legacy format will have a different identifier than the setting has in this encryption settings database |
Import one or more encryption settings definitions into the server
encryption-settings import --input-file /tmp/exported-key \
--pin-file /tmp/exported-key.pin --set-preferred
-i {path}
--input-file {path}
| Description | The path of the input file containing the encryption settings definitions to import |
| Required | Yes |
| Multi-Valued | No |
-W {path}
--pin-file {path}
| Description | The path of the file containing the PIN that should be used to decrypt the exported encryption settings. If this is not provided, it will be interactively requested from the user |
| Required | No |
| Multi-Valued | No |
-p
--set-preferred
| Description | Update the preferred encryption settings definition based on the information contained in the input file. If the input file contains only a single definition, then that definition will be the new preferred definition. If the input file contains multiple definitions, then the new preferred definition will be the one that is marked as preferred in the export, or the last definition in the input file if none of the definitions are marked preferred |
List all of the encryption settings definitions available to the server
encryption-settings list
-v
--verbose
| Description | Display verbose output |
Specify the preferred settings to use for encryption in the server
encryption-settings set-preferred --id DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
-i {id}
--id {id}
| Description | The identifier for the encryption settings definition to set as preferred |
| Required | Yes |
| Multi-Valued | No |
Interactively supply the passphrase needed to access the contents of the encryption settings database. This is only applicable if the server is configured to use a 'Wait for Passphrase' cipher stream provider
encryption-settings supply-passphrase
-V
--version
| Description | Display Data Governance Server version information |
-H
--help
| Description | Display general usage information |
--help-debug
| Description | Display help for using debug options |
| Advanced | Yes |