Netwrix Directory Manager 11.1.25199.02 - Encryption Key Management Documentation

Products Directory Manager Show & Tell
,
1

Overview

The Directory Manager 11 passphrase encryption key utility provides secure encryption key management for database encryption. This utility generates random passphrase keys to encrypt data stored in the database and is maintained in the Directory Manager 11 server registry.

Important Notes:

  • The passphrase page has been removed from the Directory Manager configuration wizard.
  • For disaster recovery, it is recommended to export and back up the encryption key with the password presented on the console while exporting the key.
  • All encryption keys should be securely stored and managed according to your organization’s security policies.

Encryption Key Utility Commands

Generate Encryption Key

Cmd
Directory-manager-passphrase-utility.exe generate

Export Encryption Key

cmd
Directory-manager-passphrase-utility.exe export -o "C:\Program Files\Imanami\GroupID 11.0\encryptionkey.txt"

Important: Copy and save the password returned from this.

Import Encryption Key

Cmd
Directory-manager-passphrase-utility.exe import -i "C:\Program Files\Imanami\GroupID 11.0\encryptionkey.txt" -p "[password noted in previous step]"

Re-encrypt Database (V11 to V11)

Cmd
Directory-manager-passphrase-utility.exe reencrypt11 -s "server\instance" -i -u "username" -d "database_name"

Re-encrypt Database (V10 to V11)

Cmd
Directory-manager-passphrase-utility.exe reencrypt10 -s "server\instance" -i -u "username" -d "database_name"

Delete Encryption Key

Cmd
Directory-manager-passphrase-utility.exe delete -s "server\instance" -i -u "username" -d "database_name"

Deployment Scenarios

Single Instance Deployment with Fresh Database

For this scenario utility is not required.

Single Instance Build-over-Build Upgrade

  1. Install Directory Manager 11 latest build.
  2. Generate an encryption key using the encryption key utility.
  3. Create a database backup of the existing V11 database.
  4. Re-encrypt the database with the new encryption key:
    Cmd
    Directory-manager-passphrase-utility.exe reencrypt11 -s "server\instance" -i -u "username" -d "database_name"
  5. Complete the configuration wizard.
  6. Delete the encryption key from the database after configuration is completed and data is verified through the Admin Center and portals:
    Cmd
    Directory-manager-passphrase-utility.exe delete -s "server\instance" -i -u "username" -d "database_name"

Multi-Instance Deployment with Fresh Database

Master Node Configuration (Server A)

  1. Install Directory Manager 11 latest build on Server A.
  2. Run the configuration wizard and select the first option on the Create new server or use existing server page. to configure the instance as the master node.
  3. Configure the database and complete the configuration wizard.
  4. Export the encryption key:
    Cmd
    Directory-manager-passphrase-utility.exe export -o "C:\Program Files\Imanami\GroupID 11.0\encryptionkey.txt"

Note: Export the signing key and Directory Manager user password using their respective utilities.

Slave Node Configuration (Server B)

  1. Install Directory Manager 11 latest build on Server B.
  2. Import the encryption key:
    Cmd
    Directory-manager-passphrase-utility.exe import -i "C:\Program Files\Imanami\GroupID 11.0\encryptionkey.txt" -p "[password noted earlier]"
  3. Complete the slave node configuration after importing the Directory Manager user password and signing key during the configuration wizard.

Multi-Instance Deployment with V11 Build-over-Build Upgrade

Master Node Upgrade (Server A)

  1. Install Directory Manager 11 latest build over the existing build on Server A.
  2. Generate an encryption key using the encryption key utility
  3. Create a backup copy of the previous V11 database.
  4. Re-encrypt the database with the newly generated encryption key:
    Cmd
    Directory-manager-passphrase-utility.exe reencrypt11 -s "server\instance" -i -u "username" -d "database_name"
  5. Run the configuration wizard and select the first option on the Create new server or use existing server page to configure the instance as the master node.
  6. Follow the export/import procedure described in the multi-instance deployment section.

Security Considerations

  • Always create secure backups of encryption keys before performing any operations.
  • Store the encryption key and its password in a secure location separate from the database – this will be required in case of disaster recovery.
  • Verify data integrity after re-encryption operations.
  • Follow your organization’s security policies for key management and storage.

Troubleshooting

  • Ensure proper database connectivity before running encryption operations.
  • Verify that the user account has sufficient privileges for database operations.
  • Confirm that all required services are running before starting the configuration wizard.
  • Check system logs for detailed error messages if operations fail.