Using the cm encryptpasswords utility will encrypt all passwords (to be more strict, the hash values of the passwords) stored in the database with a 256 bit key on basis of the AES algorithm (Rijndael). When starting the utility, make sure that the corresponding CoreMedia Content Server is not running.

Encrypting the passwords of a Replication Live Server needs slightly more care:

The utility program is executed with:

cm encryptpasswords -encrypt

During operation, the utility writes some output to indicate the progress of encryption.

The generated key is written to the file $INSTALL_DIR/etc/keys/<databasename>.<dbuser>.rijndael. Do not delete this key file and instead make sure that a backup exists in a safe place. Without the file, it is no longer possible to log in. You must copy this file to the Content Server installation under $INSTALL_DIR/etc/keys (The path can be configured by setting the property cap.server.encrypt-passwords-key-file). If you want to install a new server and you still want to use the old database the key file from the old installation must be present in the new installation. Likewise, if you want to install and use a new database you have to delete the key file. Otherwise, the program would try to decrypt the new decrypted passwords.

When the utility is used more than once, the passwords will be re-encrypted with a new key. No harm can occur.

If you want to revert to decrypted passwords, run the following command and remove the key file from the server installation afterwards:

cm encryptpasswords -decrypt