Red Hat Directory Server 8.0 Administrator's Guide

There is no mechanism for recovering a lost key. Therefore, it is especially

important to back up the server's certificate database safely. If the server's

certificate were lost, it would not be possible to decrypt any encrypted data

stored in its database.

CAUTION

If the SSL certificate is expiring and needs to be renewed, export the encrypted

backend instance before the renewal. Update the certificate, then re-import the

exported LDIF file.

2.3.2. Encryption Ciphers

The encryption cipher is configurable on a per-attribute basis and must be selected by the

administrator at the time encryption is enabled for an attribute. Configuration can be done

through the Console or through the command-line.

The following ciphers are supported:

• Advanced Encryption Standard (AES)

• Triple Data Encryption Standard (3DES)

All ciphers are used in Cipher Block Chaining mode.

Once the encryption cipher is set, it should not be changed without exporting and re-importing

the data.

2.3.3. Configuring Database Encryption from the Console

1. In the Console, open the Directory Server.

2. Open the Configuration tab, and select the Data node.

3. In the Data node, select the backend to edit, such as dc=example,dc=com.

4. Next, select the root to edit, such as o=userRoot.

5. Select the Attribute Encryption tab.

6. Hit the Add Attribute button, and a list of attributes will appear. Select the attribute to

encrypt.

Chapter 3. Configuring Directory Databases