Encrypt the Data Index

You can optionally configure the IDOL Content component to encrypt your index data.

When you enable index encryption, Content uses 256-bit AES encryption. Encryption includes:

To use index encryption, you need an AES key file. You can create this key file by using the autpassword command-line tool. See Password Encryption.

CAUTION: If you lose your encryption keys after you enable encryption, you cannot recover your IDOL data.

In a distributed system, you can enable encryption both in your Content indexes, and in the Distributed Index Handler (DIH). The DIH encrypts the index data that it stores in the index queue while waiting to process it.

NOTE: DIH decrypts the index queue content before it forwards data to its child Content indexes for processing. Micro Focus recommends that you enable TLS encryption to ensure that you have secure communication between Content and DIH.

Enable Index Encryption

There are two ways to enable encryption in your index:

The dataencyptionkey option overrides any AESKeyFile setting in your configuration file.

NOTE: You can turn on AES encryption in an index that has existing content. In this case:

To ensure that all your data is encrypted, Micro Focus recommends that you index your data into an empty index, with encryption enabled.

Enable Index Encryption in the Configuration File

You can enable index encryption by setting the AESKeyFile parameter in the IDOL Content component configuration file.

If you have a distributed system, you can also configure AESKeyFile in the DIH configuration file, to ensure that it encrypts the stored index queue data.

To configure index encryption

  1. Open the IDOL Content component configuration file in a text editor.

  2. Find the [DataEncryption], or create one if it does not exist.

  3. Set AESKeyFile to the full path to your AES encryption key file. For example:

    [DataEncryption]
    AESKeyFile=C:\idoldata\keys\indexkey.ky
  4. Save and close the configuration file.

  5. Restart the IDOL Content component for your changes to take effect.

NOTE: Content does not start if it cannot find the specified key file, or if the key file is not valid.

Enable Index Encryption When You Start IDOL Components

When you start the IDOL Content component from the command line, you can use the -dataencryptionkey argument to enable encryption. You set this option to the 64-character hexadecimal AES key that you want to use.

For example:

Content.exe -configfile Content.cfg -dataencryptionkey D15B643D5332BB9B9871EB1828D91367FA5419FD7179C8254AA4CCB647AB8009

If you have a distributed system, you can also use this command-line parameter to add an encryption key when you start the DIH.

The data encryption key that you provide on startup overrides any configured value for AESKeyFile.

Check Your Encryption Status

You can check the encryption status of your Content index by sending the GetStatus action.

The response for Content includes a data_encryption section, which can have one of the following values: 

You can also send a GetStatus action to the Distributed Action Handler (DAH) to find the encryption status of all the DAH child servers. In this case, the response values are: 

Encryption Persistence

After you enable encryption, you cannot change your encryption settings or turn off encryption.

Each time you start Content, it verifies your encryption key to ensure that it matches the existing settings. If the encryption settings are different, or Content cannot find the key file, the server logs a warning and does not start.

Similarly, when you attempt to use the DREINITIAL index action with a backup path, Content checks the encryption settings in the backup directory before it restores the index. If the target index has incompatible encryption settings, the DREINITIAL index action fails with a Bad Parameter error.

NOTE: Content stores only a hash generated from the encryption key on disk, so you cannot recover the original encryption keys from the saved information.

When you export data from Content by using DREEXPORTIDX or DREEXPORTXML, the exported content is unencrypted. Micro Focus recommends that you use appropriate authorization roles to ensure that only authorized users can export content from your index. See Configure Client Authorization.

If you want to turn off encryption, or change your encryption settings, you must export your data and index into an empty Content index.

_FT_HTML5_bannerTitle.htm