--- title: Data encryption description: DS directory servers can encrypt directory data in backend files on disk. This keeps the data confidential until it is accessed by a directory client. component: pingds version: 8.1 page_id: pingds:security-guide:data canonical_url: https://docs.pingidentity.com/pingds/8.1/security-guide/data.html revdate: 2025-10-14T11:03:55Z keywords: ["Features", "LDAP", "Security", "Setup & Configuration"] --- # Data encryption DS directory servers can encrypt directory data in backend files on disk. This keeps the data confidential until it is accessed by a directory client. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Encrypting stored directory data does not prevent it from being sent over the network in the clear.Use secure connections to protect data sent over the network. | | Advantages | Trade-offs | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Confidentiality and integrity**Encrypted directory data is confidential, remaining private until decrypted with a proper key.Encryption ensures data integrity at the moment it is accessed. The DS directory service cannot decrypt corrupted data. | **Equality indexes limited to equality matching**When an equality index is configured without confidentiality, the server maintains values in sorted order. It can then use the cleartext equality index can for searches that require ordering or match initial substrings.An example of a search that requires ordering is a search with a filter `"(cn<=App)"`. The filter matches entries with `commonName` up to those starting with `App` (case-insensitive) in alphabetical order.An example of a search that matches an initial substring is a search with a filter `"(cn=A*)"`. The filter matches entries having a `commonName` that starts with `a` (case-insensitive).In an equality index with confidentiality enabled, the server can no longer sort the values. As a result, you must either add indexes or accept that ordering and initial substring searches are unindexed. | | **Protection on shared infrastructure**When you share the infrastructure, you relinquish full and sole control of directory data. For example, if the DS directory server runs in the cloud, or in a data center with shared disks, the file system and disk management are not under your control.With encrypted data, other users cannot read the files unless they also have the decryption keys. | **Performance impact**Encryption and decryption require more processing than handling plaintext values.Encrypted values also take up more space than plaintext values. | To check what a system user with read access to backend database files can access, use the `backendstat dump-raw-db` command. The `backendstat` subcommands `list-raw-dbs` and `dump-raw-db` let you list and view the low-level databases within a backend. Unlike the output of other subcommands, the output of the `dump-raw-db` subcommand is neither decrypted nor formatted for readability. Instead, you can observe values as they are stored in the backend file. In a backend database, the `id2entry` index holds LDIF for directory entries. For a database that is not encrypted, the corresponding low-level database shows the cleartext strings: > **Collapse: Show details** > > ```console > $ stop-ds > $ backendstat list-raw-dbs --backendId dsEvaluation > ``` > > Output > > ``` > ... > /dc=com,dc=example/id2entry > ``` > > ```console > $ backendstat \ > dump-raw-db \ > --backendId dsEvaluation \ > /dc=com,dc=example/id2entry > ``` > > Output > > ``` > ... > Key (len 8): > 00 00 00 00 00 00 00 1E ........ > Value (len 437): > 02 00 81 B1 03 01 06 27 75 69 64 3D 62 6A 65 6E .......'uid=bjen > 73 65 6E 2C 6F 75 3D 50 65 6F 70 6C 65 2C 64 63 sen,ou=People,dc > 3D 65 78 61 6D 70 6C 65 2C 64 63 3D 63 6F 6D 01 =example,dc=com. > 06 11 01 08 01 13 62 6A 65 6E 73 65 6E 40 65 78 ......bjensen@ex > 61 6D 70 6C 65 2E 63 6F 6D 01 09 01 04 30 32 30 ample.com....020 > 39 01 16 01 0C 65 6E 2C 20 6B 6F 3B 71 3D 30 2E 9....en, ko;q=0. > 38 01 10 01 29 75 69 64 3D 74 72 69 67 64 65 6E 8...)uid=trigden > 2C 20 6F 75 3D 50 65 6F 70 6C 65 2C 20 64 63 3D , ou=People, dc= > 65 78 61 6D 70 6C 65 2C 64 63 3D 63 6F 6D 01 04 example,dc=com.. > 02 13 50 72 6F 64 75 63 74 20 44 65 76 65 6C 6F ..Product Develo > 70 6D 65 6E 74 06 50 65 6F 70 6C 65 01 0B 01 07 pment.People.... > 42 61 72 62 61 72 61 01 0C 01 0F 2B 31 20 34 30 Barbara....+1 40 > 38 20 35 35 35 20 31 38 36 32 01 0D 01 06 4A 65 8 555 1862....Je > 6E 73 65 6E 01 07 02 0E 42 61 72 62 61 72 61 20 nsen....Barbara > 4A 65 6E 73 65 6E 0B 42 61 62 73 20 4A 65 6E 73 Jensen.Babs Jens > 65 6E 01 0E 01 0D 2F 68 6F 6D 65 2F 62 6A 65 6E en..../home/bjen > 73 65 6E 01 0F 01 0F 2B 31 20 34 30 38 20 35 35 sen....+1 408 55 > 35 20 31 39 39 32 01 11 01 04 31 30 30 30 01 12 5 1992....1000.. > 01 2E 7B 53 53 48 41 7D 33 45 66 54 62 33 70 37 ..{SSHA}3EfTb3p7 > 71 75 6F 75 73 4B 35 34 2B 41 4F 34 71 44 57 6C quousK54+AO4qDWl > 56 33 4F 39 54 58 48 57 49 4A 49 32 4E 41 3D 3D V3O9TXHWIJI2NA== > 01 13 01 04 31 30 37 36 01 05 01 14 4F 72 69 67 ....1076....Orig > 69 6E 61 6C 20 64 65 73 63 72 69 70 74 69 6F 6E inal description > 01 14 01 07 62 6A 65 6E 73 65 6E 01 15 01 0D 53 ....bjensen....S > 61 6E 20 46 72 61 6E 63 69 73 63 6F 01 01 02 01 an Francisco.... > 24 38 38 37 37 33 32 65 38 2D 33 64 62 32 2D 33 $887732e8-3db2-3 > 31 62 62 2D 62 33 32 39 2D 32 30 63 64 36 66 63 1bb-b329-20cd6fc > 65 63 63 30 35 ecc05 > ``` Enable confidentiality to encrypt database backends. When confidentiality is enabled, the server encrypts entries before storing them in the backend. The following command enables backend confidentiality with the default encryption settings: ```console $ dsconfig \ set-backend-prop \ --hostname localhost \ --port 4444 \ --bindDn uid=admin \ --bindPassword password \ --backend-name dsEvaluation \ --set confidentiality-enabled:true \ --no-prompt \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin ``` After confidentiality is enabled, the server encrypts entries *only when it next writes them*. The server does not automatically rewrite all entries in encrypted form. Instead, it encrypts each entry the next time it is updated, or when you re-import data from LDIF. To observe the impact of backend encryption, import the data and view the results, as in the following example: > **Collapse: Show details** > > ```console > $ stop-ds > $ export-ldif \ > --offline \ > --backendId dsEvaluation \ > --includeBranch dc=example,dc=com \ > --ldifFile backup.ldif > $ import-ldif \ > --offline \ > --backendId dsEvaluation \ > --includeBranch dc=example,dc=com \ > --ldifFile backup.ldif > $ backendstat \ > dump-raw-db \ > --backendId dsEvaluation \ > /dc=com,dc=example/id2entry > ``` > > Output > > ``` > ... > Key (len 8): > 00 00 00 00 00 00 00 C2 ........ > Value (len 437): > 02 02 81 82 01 C4 95 87 5B A5 2E 47 97 80 23 F4 ........[..G..#. > CE 5D 93 25 97 D4 13 F9 0A A3 A8 31 9A D9 7A 70 .].%.......1..zp > FE 3E AC 9D 64 41 EB 7B D5 7F 7E B8 B7 74 52 B8 .>..dA.{.^?~..tR. > C7 7F C8 79 19 46 7D C5 5D 5B 83 9C 5B 9F 85 28 .^?.y.F}.][..[..( > 83 A2 5F A0 C1 B1 09 FC 2F E3 D8 82 4A AA 8B D9 .._...../...J... > 78 43 34 50 AE A1 52 88 5B 70 97 D2 E1 EA 87 CA xC4P..R.[p...... > 3B 4D 07 DC F9 F8 30 BB D2 76 51 C8 75 FF FA 80 ;M....0..vQ.u... > 77 E1 6A 8B 5B 8F DA A4 F4 0B B5 20 56 B3 19 19 w.j.[...... V... > 22 D8 9D 38 04 E3 4D 94 A7 99 4B 81 16 AD 88 46 "..8..M...K....F > FC 3F 7E 78 66 B8 D1 E9 86 A0 F3 AC B6 68 0D A9 .?~xf........h.. > 9A A7 3C 30 40 37 97 4E 90 DD 63 16 8E 11 0F 5E ..<0@7.N..c....^ > 9D 5B 86 90 AF 4E E2 1F 9E 70 73 14 0A 11 5C DB .[...N...ps...\. > B7 BC B8 A9 31 3F 74 8D 0A 9F F4 6C E1 B0 36 78 ....1?t....l..6x > F0 5A 5E CD 7C B3 A2 36 66 8E 88 86 A0 8B 9A 77 .Z^.|..6f......w > D5 CD 7E 9C 4E 62 20 0E D0 DB AD E7 7E 99 46 4F ..~.Nb .....~.FO > 67 C7 A6 7E 2C 24 82 50 51 9F A7 B2 02 44 5B 30 g..~,$.PQ....D[0 > 74 41 99 D9 83 69 EF AE 2E C0 FF C4 E6 4F F2 2F tA...i.......O./ > 95 FB 93 65 30 2A 2D 8D 20 88 83 B5 DE 35 B6 20 ...e0*-. ....5. > 47 17 30 25 60 FD E3 43 B9 D6 A4 F7 47 B6 6C 9F G.0%`..C....G.l. > 47 FD 63 8E 7F A5 00 CE 6C 3E BC 95 23 69 ED D0 G.c.^?...l>..#i.. > 69 4F BE 61 BD 30 C2 40 66 F6 F9 C3 3E C1 D7 8C iO.a.0.@f...>... > B0 C8 4A 2E 27 BE 13 6C 40 88 B0 13 A3 12 F4 50 ..J.'..l@......P > CA 92 D8 EB 4A E5 3F E2 64 A3 76 C7 5C 2B D8 89 ....J.?.d.v.\+.. > A3 6E C1 F7 0A C2 37 7A BD AF 14 4B 52 04 6B F2 .n....7z...KR.k. > 8F 4F C3 F8 00 90 BA 0F EC 6D B1 2D A8 18 0C A6 .O.......m.-.... > 29 96 82 3B 5C BC D0 F4 2B BE 9C C5 8B 18 7A DE )..;\...+.....z. > C7 B5 10 2D 45 50 4F 77 ED F7 23 34 95 AF C3 2E ...-EPOw..#4.... > B0 9B FA E9 DF ..... > ``` The settings for data confidentiality depend on the encryption capabilities of the JVM. Learn more in [javax.crypto.Cipher](https://docs.oracle.com/en/java/javase/25/docs/api/java.base/javax/crypto/Cipher.html). You can accept the default settings, or choose to specify the following: * The cipher algorithm defining how the plaintext is encrypted and decrypted. * The cipher mode of operation defining how a block cipher algorithm transforms data larger than a single block. * The cipher padding defining how to pad the plaintext to reach appropriate size for the algorithm. * The cipher key length, where longer key lengths strengthen encryption at the cost of lower performance. The default settings for confidentiality are `cipher-transformation: AES/GCM/NoPadding`, and `cipher-key-length: 128`. This means the algorithm is the Advanced Encryption Standard (AES), and the cipher mode is Galois/Counter Mode (GCM). The syntax for the `cipher-transformation` is `algorithm/mode/padding`. You must specify the *algorithm*, *mode*, and *padding*. When the algorithm does not require a mode, use `NONE`. When the algorithm does not require padding, use `NoPadding`. DS servers encrypt data using symmetric keys. Servers generate symmetric keys when needed and store them, encrypted with the shared master key, with the data they encrypt. As long as servers have the same shared master key, any server can recover symmetric keys needed to decrypt data. Symmetric keys for (deprecated) reversible password storage schemes are the exception to this rule. When you configure a reversible password storage scheme, enable the `adminRoot` backend, and configure a replication domain for `cn=admin data`. You can enable confidentiality by backend index, as long as confidentiality is enabled for the backend itself. Confidentiality hashes keys for equality type indexes using SHA-1. It encrypts the list of entries matching a substring key for substring indexes. The following example shows how to enable confidentiality for the `mail` index: ```console $ dsconfig \ set-backend-index-prop \ --hostname localhost \ --port 4444 \ --bindDn uid=admin \ --bindPassword password \ --backend-name dsEvaluation \ --index-name mail \ --set confidentiality-enabled:true \ --no-prompt \ --trustStorePath /path/to/opendj/config/keystore \ --trustStoreType PKCS12 \ --trustStorePassword:file /path/to/opendj/config/keystore.pin ``` After changing the index configuration, rebuild the index to enforce confidentiality immediately. Confidentiality cannot be enabled for VLV indexes. Avoid using sensitive attributes in VLV indexes. When reading files for an encrypted backend database, be aware that although user data is kept confidential, the following are *not encrypted* on disk: * Existing backend database files. The server encrypts backend database content *only when it is next written*. If you must make sure that all relevant data are encrypted, export the data to LDIF and then import the data again. * The `dn2id` index and its keys. * Substring index keys. Substring index values are encrypted. Encrypting and decrypting data require cryptographic processing that reduces throughput, and extra space for larger encrypted values. Tests with default settings show that the cost of enabling confidentiality can be quite modest. Your results can vary based on the host system hardware, the JVM, and the settings for `cipher-transformation` and `cipher-key-length`. Make sure you test your deployment to qualify the impact of confidentiality before changing settings in production.