-
Title
HOW TO: Controlling Active Roles encryption key strength -
Description
How is it possible to control the strength of the encryption key which Active Roles uses to secure credentials in the Active Roles Configuration database? -
Resolution
This can be done as a post-installation task.
The value for the encryption algorithm is stored in the edsaRGSKCryptoAlgorithm attribute which is found in the Advanced Properties of the Administration Services container found under Configuration | Server Configuration | Administration Services .
It is not possible to configure this value via the Active Roles Console, but it is possible to do so using the Active Roles Management Shell, as follows:
Reset-AREncryptionKey -EncryptionAlgorithm 'AES'
OR
Reset-AREncryptionKey -EncryptionAlgorithm 'DES'
NOTE: It is important to run the Active Roles Management Shell as a local Administrator who is also an Active Roles Admin. Otherwise, attempting to execute the above cmdlet will fail with the following error:
Insufficient rights to configure Active Roles. Ensure that you have administrator rights on the computer running the Active Roles instance you are going to configure.Running the above cmdlet will automatically generate a new encryption key. This new key can then be backed up using the Backup-AREncryptionKey cmdlet.
With ActiveRoles Server 6.9 and previous versions, the default value for this attribute is 3DES-192.
With Active Roles 7.0 and later versions, the default value for this attribute is AES-256.