-
Title
HOW TO: Controlling Active Roles encryption key strength -
Description
How is it possible to control the strength of the encryption key which Active Roles uses to secure credentials in the Active Roles Configuration database? -
Resolution
This can be done as a post-installation task.
The value for the encryption algorithm is stored in the edsaRGSKCryptoAlgorithm attribute which is found in the Advanced Properties of the Administration Services container found under Configuration | Server Configuration | Administration Services .
It is not possible to configure this value via the Active Roles Console, but it is possible to do so using the Active Roles Management Shell, as follows:
Set-QADObject -Identity 'CN=Administration Services,CN=Server Configuration,CN=Configuration' -ObjectAttributes @{'edsaRGSKCryptoAlgorithm'='AES-256'}
Updating this value will automatically generate a new encryption key. With Active Roles 7.0 and later, this new key can then be backed up using the Backup-AREncryptionKey cmdlet.
With ActiveRoles Server 6.9 and previous versions, the default value for this attribute is 3DES-192.
With Active Roles 7.0 and later versions, the default value for this attribute is AES-256.
Possible values include the following:
AES-128AES-256RC2-128RC4-403DES-192