Use the keycreate
tool to create a key for secure property
encryption without removing previous keys or changing the primary encryption key.
If you complete the processs, the tool provides instructions to make the new key
primary. A new non-primary key cannot be used for property encryption. It must be
made primary first.
To create an encryption key:
-
Run the
keycreate
command to create an encryption key.
It also prints the alias of the new key. You can run the keycreate tool while
the server is online. In an HA cluster, it must be run on only one cluster
member because all clusters share the same keystore. The usage is keycreate and
requires no arguments.
-
Configure the server to use the new key as its primary key.
Edit the installed.properties
file and set the
encryption.keystore.alias
property to the
alias that the keycreate
command prints. In an HA cluster,
each member has its own installed.properties
file, so you
must edit each cluster individually.
-
Restart the server.
The server loads keys and the primary key setting only at startup. In an HA
cluster, you must restart each member.
When this process is complete, the server (or all servers in an HA cluster) uses the
new primary key to encrypt new data exclusively. Previous keys can be used only to
decrypt previous data.