Use the keycreate tool to create a key for secure property
encryption without removing previous keys or changing the primary encryption key.
About this task
If you complete the processs, the tool provides instructions to make the new key
primary. A new non-primary key cannot be used for property encryption. It must be
made primary first.
To create an encryption key:
Procedure
-
Run the
keycreate command to create an encryption key.
It also prints the alias of the new key. You can run the keycreate tool while
the server is online. In an HA cluster, it must be run on only one cluster
member because all clusters share the same keystore. The usage is keycreate and
requires no arguments.
-
Configure the server to use the new key as its primary key.
Edit the installed.properties file and set the
encryption.keystore.alias property to the
alias that the keycreate command prints. In an HA cluster,
each member has its own installed.properties file, so you
must edit each cluster individually.
-
Restart the server.
The server loads keys and the primary key setting only at startup. In an HA
cluster, you must restart each member.
Results
When this process is complete, the server (or all servers in an HA cluster) uses the
new primary key to encrypt new data exclusively. Previous keys can be used only to
decrypt previous data.