KeyVault configuration options
KeyVault configuration settings are stored in the /crypt/keyvault/keys.properties file.
The file is a standard Java™ properties file, where each line contains a key and value that is separated by an `='.
The following table contains the KeyVault configuration options.
| Key | Description |
|---|---|
passwordfile |
Location of the master key file. The default is /crypt/keyvault/.keyvaultpassword. |
keystorefile |
Location of the keystore file. The default is /crypt/keyvault/keyvault. |
should_backup_password |
Determines whether the backup operation includes the KeyVault password (true) or not (false).
The default is true.If you do not include the KeyVault password in the backup, you must ensure that it is backed up independently. If the KeyVault password is lost, then all secrets are lost. It might not be a major problem for some secrets, such as the database password since that password can be reset. However, other secrets, such as the attachment encryption key, cannot be recovered. |
lockretry_max |
Specifies the maximum number of retries to get the KeyVault lock. The default is 25. Increase
this value if you see an error like the following in the logs Timeout getting KeyVault file
lock .... |
lockretry_sleep_msec |
Milliseconds to sleep between retries of request for KeyVault lock. The default is 200. |
The following example does not back up the password file but does change its location.
should_backup_password=false
passwordfile=/some/other/directory/mykeyvaultpassword
Contact IBM Security® Support for assistance if you need to move the stored secrets to your keystore.