You can encrypt data during an LDIF export and digitally sign the LDIF file.
The server provides features to encrypt data during an export using the export-ldif --encryptLDIF option. It also allows the encrypted LDIF file to be imported on the same instance, or another server in the same replication topology, using the import-ldif tool. You can use a --doNotEncrypt argument to force an LDIF export to be unencrypted even if automatic encryption is enabled. The --maxMegabytesPerSecond argument can be used to impose a limit on the rate at which the LDIF file can be written to disk.
You can use the export-ldif tool with the --promptForEncryptionPassphrase, --encryptionPassphraseFile, and --encryptionSettingsDefinitionID arguments to specify which key to use for encrypting the export. The import-ldif tool automatically detects encryption and compression and has --promptForEncryptionPassphrase, --encryptionPassphraseFile options as well.
The server also provides an additional argument that digitally signs the contents of the LDIF file, which ensures that the content has not been altered since the export. To digitally sign the contents of the exported LDIF file, use the export-ldif --sign option. To allow a signed LDIF file to be imported onto the same instance or another server in the same topology, use the import-ldif --isSigned option.
There is little added benefit to signing and encrypting the same data because encrypted data cannot be altered without destroying the ability to decrypt it.