The database contains encryption settings definitions that specify information about the cipher transformation and encapsulate the key used for encryption and decryption. Before enabling data encryption, you must create an encryption settings definition. An encryption settings definition specifies the cipher transformation to use to encrypt the data and encapsulates the encryption key.

You can use the encryption-settings tool to manage the encryption settings database, including:

  • Creating, deleting, exporting, and importing encryption settings definitions
  • Listing the available definitions
  • Indicating which definition to use for subsequent encryption operations
  • Managing data encryption restrictions to impose on the server
  • Freezing and unfreezing the encryption settings database
  • Supplying the passphrase needed for the Wait for Passphrase cipher stream provider

For more about the encryption-settings tool, see Using the encryption-settings tool.

Implementing encryption settings definitions

Although the encryption settings database can have multiple encryption settings definitions, you must designate only one of them as the preferred definition. The preferred encryption settings definition is used for all subsequent encryption operations. Any existing data that has not yet been encrypted remains unencrypted until it is rewritten, such as a result of a modify or modifyDN operation, or if the data is exported to LDIF and re-imported.

If you introduce a new preferred encryption settings definition, then any existing encrypted data continues to use the previous definition until it is rewritten. If you do change the preferred encryption settings definition for the server, keep the previous definitions in the database until you have verified that no remaining data uses the older keys.