Database Encryption

NOTE

For existing attribute entries to be encrypted, the information must be exported, then re-imported. See Section 2.3.5, “Exporting and Importing an Encrypted Database”.

7.Select which encryption cipher to use.

8.Repeat steps 6 and 7 for every attribute to encrypt. Then hit Save.

To remove encryption from attributes, select them from the list of encrypted attributes in the Attribute Encryption table, and hit the Delete button, then hit Save to apply the changes. Any deleted attributes have to be manually re-added after saving.

2.3.4. Configuring Database Encryption Using the Command-Line

1.Run the ldapmodify command1:

ldapmodify -a -p 389 -D "cn=directory manager" -w secret -h us.example.com

2.Add an encryption entry for the attribute being encrypted. For example, this entry encrypts the telephoneNumber attribute with the AES cipher:

dn: cn=telephoneNumber,cn=encrypted attributes,cn=Database1,cn=ldbm database,cn=plugins,cn=config

objectclass: top

objectclass: nsAttributeEncryption

cn: telephoneNumber

nsEncryptionAlgorithm: AES

3.For existing attributes in entries to be encrypted, the information must be exported, then re-imported. See Section 2.3.5, “Exporting and Importing an Encrypted Database”.

For more information on database encryption configuration schema, refer to "Database Attributes under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config" in the Directory Server Configuration, Command, and File Reference.

2.3.5. Exporting and Importing an Encrypted Database

Exporting and importing encrypted databases is similar to exporting and importing regular databases. However, the encrypted information must be decrypted when it is exported to LDIF,

67

Page 87
Image 87
HP UX Red Hat Direry Server Software Configuring Database Encryption Using the Command-Line, Run the ldapmodify command1