Creating an encryption key
Use the keycreate
tool to create a key for secure property
encryption without removing previous keys or changing the primary encryption key.
About this task
If you complete the processs, the tool provides instructions to make the new key primary. A new non-primary key cannot be used for property encryption. It must be made primary first.
To create an encryption key:
Procedure
-
Run the
keycreate
command to create an encryption key.It also prints the alias of the new key. You can run the keycreate tool while the server is online. In an HA cluster, it must be run on only one cluster member because all clusters share the same keystore. The usage is keycreate and requires no arguments. -
Configure the server to use the new key as its primary key.
Edit the
installed.properties
file and set theencryption.keystore.alias
property to the alias that thekeycreate
command prints. In an HA cluster, each member has its owninstalled.properties
file, so you must edit each cluster individually. -
Restart the server.
The server loads keys and the primary key setting only at startup. In an HA cluster, you must restart each member.
Results
When this process is complete, the server (or all servers in an HA cluster) uses the new primary key to encrypt new data exclusively. Previous keys can be used only to decrypt previous data.