The Directory Server provides features to encrypt data during an LDIF export using the export-ldif --encryptLDIF option and to allow the encrypted LDIF file to be imported onto the same instance or another server in the same replication topology using the import-ldif tool. A --doNotEncrypt argument can be used to force an LDIF export to be unencrypted, even if automatic encryption is enabled. The --maxMegabytesPerSecond argument can be used to impose a limit on the rate at which the LDIF file may be written to disk.

The export-ldif tool can be used with the --promptForEncryptionPassphrase, --encryptionPassphraseFile, and --encryptionSettingsDefinitionID arguments to specify which key to use for encrypting the export. The import-ldif tool will automatically detect encryption and compression, and have --promptForEncryptionPassphrase, --encryptionPassphraseFile options as well.

The Directory Server also provides an additional argument that digitally signs the contents of the LDIF file, which ensures that the content has not been altered since the export. To digitally sign the contents of the exported LDIF file, use the export-ldif --sign option. To allow a signed LDIF file to be imported onto the same instance or another server in the same topology, use the import-ldif --isSigned option.

Note that there is not much added benefit to both signing and encrypting the same data, since encrypted data cannot be altered without destroying the ability to decrypt it.