Installation GuidesUpgrade GuideUsing FIPS-Compliant AlgorithmsHow to Re-Encrypt Existing Sensitive DataRe-encrypt Policy and Key Store Data › Re-encrypt the Policy Store Data

Previous Topic: Re-encrypt Keys Stored in the Policy or Key Store

Next Topic: Migration Roadmap—Configure FIPS-Only Mode
Re-encrypt the Policy Store Data

To re-encrypt the policy store data

  1. Open a command prompt from the machine hosting the Policy Server and navigate to the location to which you want to export the policy store data file.
  2. Run the following command: 
    XPSExport outputfile -xa -passphrase phrase -vT -vI -vW -vE -vF -e file_name -l log_file

    Note: Although you can use XPSExport to export one or more granular objects, this procedure provides the arguments for exporting all of the policy store data. This ensures that the export includes all of the sensitive data. More information on exporting one or more granular objects exists in the Policy Server Administration Guide.

    outputfile

    Specifies the name of the XML output file.

    Note: The file name must be unique. The export fails if a file with the same name exists.

    Example: psdata

    -xa

    Specifies that all of the policy data is to be exported.

    -passphrase phrase

    Specifies a passphrase required for encryption of sensitive data. Record this value as it is required to import the sensitive data back into the policy store.

    Limit: The passphrase must be contain at least:

    • Eight (8) characters
    • One (1) digit
    • One (1) upper-case character
    • One (1) lower-case character

    Note: If the passphrase contains spaces, enclose it in quotes (").

    -vT

    (Optional) Sets verbosity level to TRACE.

    -vI

    (Optional) Sets verbosity level to INFO.

    -vW

    (Optional) Sets verbosity level to WARNING (default).

    -vE

    (Optional) Sets verbosity level to ERROR.

    -vF

    (Optional) Sets verbosity level to FATAL.

    -l log_path

    (Optional) Outputs log to the specified path.

    -e file_name

    (Optional) Specifies the file to which errors and exceptions are logged. If omitted, stderr is used.

    XPSExport exports the policy store data and places the data file in the directory from which you ran the tool.

  3. Run the following command: 
    XPSImport input_file -passphrase phrase -vT -vI -vW -vE -vF -l log_path
    input_file

    Specifies the input XML file.

    -passphrase phrase

    Specifies the passphrase required for the decryption of sensitive data.

    Limit: The phrase must match the phrase you specified during export or the decryption fails.

    -vT

    (Optional) Sets verbosity level to TRACE.

    -vI

    (Optional) Sets verbosity level to INFO.

    -vW

    (Optional) Sets verbosity level to WARNING (default).

    -vE

    (Optional) Sets verbosity level to ERROR.

    -vF

    (Optional) Sets verbosity level to FATAL.

    -l log_path

    (Optional) Outputs log to the specified path.

    -e file_name

    (Optional) Specifies the file to which errors and exceptions are logged. If omitted, stderr is used.

    XPSImport imports the data into the policy store. Sensitive data is encrypted using FIPS-compliant algorithms.