You can encrypt passwords to create an environment variable to use with infacmd, infasetup, pmcmd, and pmrep or to define a password in a parameter file.
For example, you can encrypt the repository and database passwords for pmrep to maintain security when using pmrep in scripts. Then you can create an environment variable to store the encrypted password. Or, you can define a password for a relational database connection object in a parameter file.
Use the command line program pmpasswd to encrypt passwords.
The pmpasswd utility uses a AES/CBC/PKCS5 padding cipher and generates a base64 encoded and AES 128-bit or AES 256-bit encrypted password.
The pmpasswd utility installs in the following directory:
The pmpasswd utility uses the following syntax:
pmpasswd <password> [-e (CRYPT_DATA | CRYPT_SYSTEM)]
The following table describes pmpasswd options and arguments:
Required. The password to encrypt.
Optional. Encryption type:
CRYPT_DATA. Use to encrypt connection object passwords that you define in a parameter file.
CRYPT_SYSTEM. Use for all other passwords.
By default, the pmpasswd utility generates AES 128-bit encrypted password. You can set the environment variable
to enable AES 256-bit encryption for enhanced password security. In single node domain or multinode domain, ensure to shutdown the domain before setting or removing the environment variable.
When you enable the AES 256-bit encryption, the previously stored sensitive data in the environment variables does not work. You must encrypt such previously stored sensitive data again and reset the data in the environment variables after enabling AES 256-bit encryption. However, the license keys remain encrypted with AES 128-bit even if you enable AES 256-bit.
After you choose either AES 128-bit or AES 256-bit encryption, you must use the same encryption mechanism while performing a backup and restore or export and import operation. For example, if you back up a domain or repository using the AES 128-bit mechanism, you must restore the domain or repository using the same 128-bit encryption mechanism. Domain restore fails if AES 256-bit encryption is enabled for domain backup and not enabled during domain restore. In such a case, clean up the database, enable 256-bit encryption and restore the domain again.
Similarly, if you export a domain or repository using the AES 128-bit mechanism, you must import the domain or repository using the same 128-bit encryption mechanism.