Encrypt the Data Index

You can optionally configure the IDOL Content component to encrypt your index data.

When you enable index encryption, Content uses 256-bit AES encryption. Encryption includes:

  • document data in the index.
  • temporary data in the index cache.
  • value mapping files used by the parametric, match, and security indexes.
  • the term dictionary.
  • the unstemmed term tree.
  • the geospatial index.
  • any data sent with index actions that is stored in your index queue before processing.
  • stored state tokens that are generated when users run queries with StoreState=True (if StoredStateField has been set so that document references are used instead of document IDs).

To use index encryption, you need an AES key file. You can create this key file by using the autpassword command-line tool. See Password Encryption.

CAUTION: If you lose your encryption keys after you enable encryption, you cannot recover your IDOL data.

In a distributed system, you can enable encryption both in your Content indexes, and in the Distributed Index Handler (DIH). The DIH encrypts the index data that it stores in the index queue while waiting to process it.

NOTE: DIH decrypts the index queue content before it forwards data to its child Content indexes for processing. Micro Focus recommends that you enable TLS encryption to ensure that you have secure communication between Content and DIH.

Enable Index Encryption

There are two ways to enable encryption in your index:

  • Set the AESKeyFile configuration parameter in the Content and DIH configuration file.
  • Use the -dataencryptionkey command line parameter when you start Content and DIH.

The dataencyptionkey option overrides any AESKeyFile setting in your configuration file.

NOTE: You can turn on AES encryption in an index that has existing content. In this case:

  • IDOL Server encrypts the value mapping and geospatial index files at startup
  • Document data encryption applies only to new data.
  • Any unprocessed data in your index queue remains unencrypted.
  • IDOL Server does not encrypt the unstemmed term tree unless you regenerate it (see Regenerate with a Server Restart).
  • IDOL Server encrypts the term dictionary when it next flushes the terms to disk during index, or when you run index compaction.
  • Existing stored state tokens, that were generated before encryption was enabled, are not encrypted.

Content also applies these rules for encrypting new data when you upgrade to Content version 12.9.0 or later (which uses a hardened AES implementation) from an earlier version.

To ensure that all your data is encrypted, Micro Focus recommends that you index your data into an empty index, with encryption enabled.

Enable Index Encryption in the Configuration File

You can enable index encryption by setting the AESKeyFile parameter in the IDOL Content component configuration file.

If you have a distributed system, you can also configure AESKeyFile in the DIH configuration file, to ensure that it encrypts the stored index queue data.

To configure index encryption

  1. Open the IDOL Content component configuration file in a text editor.

  2. Find the [DataEncryption], or create one if it does not exist.

  3. Set AESKeyFile to the full path to your AES encryption key file. For example:

    [DataEncryption]
    AESKeyFile=C:\idoldata\keys\indexkey.ky
  4. Save and close the configuration file.

  5. Restart the IDOL Content component for your changes to take effect.

NOTE: Content does not start if it cannot find the specified key file, or if the key file is not valid.

Enable Index Encryption When You Start IDOL Components

When you start the IDOL Content component from the command line, you can use the -dataencryptionkey argument to enable encryption. You set this option to the 64-character hexadecimal AES key that you want to use.

For example:

Content.exe -configfile Content.cfg -dataencryptionkey D15B643D5332BB9B9871EB1828D91367FA5419FD7179C8254AA4CCB647AB8009

If you have a distributed system, you can also use this command-line parameter to add an encryption key when you start the DIH.

The data encryption key that you provide on startup overrides any configured value for AESKeyFile.

Check Your Encryption Status

You can check the encryption status of your Content index by sending the GetStatus action.

The response for Content includes a data_encryption section, which can have one of the following values: 

  • false. The index is not encrypted.
  • true. All data in the index is encrypted.
  • partial. Some data in the index is encrypted, but there is also some unencrypted data. This status might also mean all data is encrypted, but some data was encrypted by an earlier version of Content that used an older AES implementation.

You can also send a GetStatus action to the Distributed Action Handler (DAH) to find the encryption status of all the DAH child servers. In this case, the response values are: 

  • false. None of your child servers are encrypted.
  • true. All your child servers are fully encrypted.
  • partial. At least one of your child servers contains encrypted data, but there are unencrypted or partially encrypted child servers.

Encryption Persistence

After you enable encryption, you cannot change your encryption settings or turn off encryption.

Each time you start Content, it verifies your encryption key to ensure that it matches the existing settings. If the encryption settings are different, or Content cannot find the key file, the server logs a warning and does not start.

Similarly, when you attempt to use the DREINITIAL index action with a backup path, Content checks the encryption settings in the backup directory before it restores the index. If the target index has incompatible encryption settings, the DREINITIAL index action fails with a Bad Parameter error.

NOTE: Content stores only a hash generated from the encryption key on disk, so you cannot recover the original encryption keys from the saved information.

When you export data from Content by using DREEXPORTIDX or DREEXPORTXML, the exported content is unencrypted. Micro Focus recommends that you use appropriate authorization roles to ensure that only authorized users can export content from your index. See Configure Client Authorization.

If you want to turn off encryption, or change your encryption settings, you must export your data and index into an empty Content index.