Red Hat Directory Server 8.0 Administrator's Guide

NOTE

For existing attribute entries to be encrypted, the information must be exported,

then re-imported. See Section 2.3.5, “Exporting and Importing an Encrypted

Database”.

7. Select which encryption cipher to use.

8. Repeat steps 6 and 7 for every attribute to encrypt. Then hit Save.

To remove encryption from attributes, select them from the list of encrypted attributes in the

Attribute Encryption table, and hit the Delete button, then hit Save to apply the changes. Any

deleted attributes have to be manually re-added after saving.

2.3.4. Configuring Database Encryption Using the Command-Line

1. Run the ldapmodify command

ldapmodify -a -p 389 -D "cn=directory manager" -w secret -h us.example.com

2. Add an encryption entry for the attribute being encrypted. For example, this entry encrypts

the telephoneNumber attribute with the AES cipher:

dn: cn=telephoneNumber,cn=encrypted attributes,cn=Database1,cn=ldbm

database,cn=plugins,cn=config

objectclass: top

objectclass: nsAttributeEncryption

cn: telephoneNumber

nsEncryptionAlgorithm: AES

3. For existing attributes in entries to be encrypted, the information must be exported, then

re-imported. See Section 2.3.5, “Exporting and Importing an Encrypted Database”.

For more information on database encryption configuration schema, refer to "Database

Attributes under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm

database,cn=plugins,cn=config" in the Directory Server Configuration, Command, and File

Reference.

2.3.5. Exporting and Importing an Encrypted Database

Exporting and importing encrypted databases is similar to exporting and importing regular

databases. However, the encrypted information must be decrypted when it is exported to LDIF,

Database Encryption