search cancel

Encryption With PMDBs


Article ID: 15023


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


This knowledge article details the passwd_distribution_encryption_mode and passwd_local_encryption_method tokens.

Can I use the same or different types of encryption methods in a PMDB-based model?


Release: ACP1M005900-12.8-Privileged Identity Manager


The answer o both of the questions, is yes, you can have either the same or different encryption methods on each endpoint or subscribing PMDB.  In a basic environment without PMDBs, all that has to be done is to go into the /etc/seos.ini and look for passwd_local_encryption_method to be set to the encryption method you would like on that specific host.  However, in a PMDB-based environment, if you don't change passwd_distribution_encryption_mode to reflect Bidirectional Mode, you will have all changes overwritten on subscribing PMDBs, regardless if passwd_local_encryption_method is set or not.  This is because in Bidirectional Mode, we are encrypting the channel that the password propagation traverses through, not the actual password data itself.

The following conditions must be met for the endpoint to choose how the password is stored.

The subscriber passwd_distribution_encryption_mode must match the same mode on the PMDB.  If they match, then the subscriber chosen passwd_local_encryption_method is employed, and reflected in /etc/shadow.

If passwd_distribution_encryption_mode does not match, then the subscriber local storage defaults to the method chosen on the PMDB. The local method value is ignored.

Note: *- If passwd_distribution_encryption_mode = 2 (md5) is chosen on the PMDB, the subscriber cannot choose between crypt or md5 as a local method. It will always be an md5 hash in /etc/shadow.

Token details as found in our seos.ini file and listed below.


  • passwd_distribution_encryption_mode

; This token indicates which password encryption method the local system

; uses to distribute user passwords.

; Valid values are: '1' - Compatibility mode - working with older

; versions of eAC, hence we use 'crypt' like we used to,

; or '2' - MD5 hashing - when working in Linux only environment use

; 'crypt' with MD5 salt, or '3' - bidirectional mode - where we encrypt

; the passwords with our own bidirectional encryption.

; Default Value: 3


  • passwd_local_encryption_method

; This token indicates which password encryption method the local system

; stores user passwords.

; Valid values are: 'crypt' - DES crypt/bigcrypt, or 'md5' - MD5 hashing.

; Default Value: whatever_method_you_want_on_each_individual_endpoint