Password encryption properties

Password encryption properties are used to configure password encryption.

Table 1 defines the properties used to configure password encryption.

Table 1. Encryption properties
`enrole.encryption.algorithm`
	Do not modify this property key and value. Specifies the cipher suite to use for encryption. For example, `AES` or `PBEWithMD5AndDES`. Example (default): `enrole.encryption.algorithm=AES`
`enrole.encryption.password`
	Do not modify this property key and value. This value is specified during Identity Manager installation. The value of the `enrole.encryption.password` property is moved into the `encryptionKey` property file. The value is encoded by default and is stored in the `encryptionKey` property file. For Password-Based Encryption (PBE) encryption algorithms (used for upgraded IBM® Security Identity Manager Version 4.6 installations), specifies the encrypted password used as an input parameter for Password-Based Encryption (PBE). PBE is a method of encrypting and decrypting data with a secret key based on a user-supplied password. For example, encrypted data includes shared secrets, service passwords, and some protected account attributes. Specifies the keystore password, in encrypted format, when AES is the encryption algorithm. For non-PBE based encryption algorithms (used for new IBM Security Identity Manager Version 5.0 installations), the password is used to encrypt the keystore that stores the private key. For more information about this property, see the `enrole.encryption.keystore` property. This value is specified during Identity Manager installation.
`enrole.encryption.passwordDigest`
	Do not modify this property key and value. Specifies the type of password digest used for an Identity Manager password. Upgrading Tivoli® Identity Manager from Version 4.6 continues to use the original hash algorithm until users change their passwords. This original algorithm is defined by the property `enrole.pre50.encryption.passwordDigest`. Valid values are: SHA-256 – Federal Information Processing Standards (FIPS)-approved hashing algorithm used by IBM Tivoli Identity Manager Version 5.0 for passwords. A random salt value is added to the data before it is hashed. SHA-384 – Federal Information Processing Standards (FIPS)-approved hashing algorithm, providing 384 bits of security (by truncating the output of the SHA-512 algorithm). A random salt value is added to the data before it is hashed. SHA-512 – Federal Information Processing Standards (FIPS)-approved hashing algorithm, providing 512 bits of security. A random salt value is added to the data before it is hashed. Example (default): `enrole.encryption.passwordDigest=SHA-256`
`enrole.pre50.encryption.passwordDigest`
	Do not modify this property key and value. Upgrading IBM Security Identity Manager from Version 4.6 adds this property dynamically to this properties file. Specifies the type of password digest used for Identity Manager password data from IBM Security Identity Manager versions before 5.0. The lack of a ":" in an encrypted Identity Manager password value is used to identify such migrated data. Note: All new passwords, including changed migrated passwords, are stored with the `enrole.encryption.passwordDigest` algorithm. Example (default for migrated installations, not present for new installations): `enrole.pre50.encryption.passwordDigest=MD5`
`enrole.encryption.keystore`
	Do not modify this property key and value. Specifies the keystore file name used to contain the randomly generated secret key for non-PBE based encryption algorithms, such as AES. This keystore file is protected with the enrole.encryption.password value. This file is in the `IM_HOME`\data\keystore directory. Example (default): `enrole.encryption.keystore=itimKeystore.jceks`