The encryption-settings database is a repository that the server uses to hold information for encrypting and decrypting data. The database contains any number of encryption-settings definitions that specifies information about the cipher transformation and encapsulates the key used for encryption and decryption.
Before data encryption can be enabled, you first need to create an encryption-settings
definition. An encryption-settings definition specifies the cipher transformation that should
be used to encrypt the data, and encapsulates the encryption key. The
encryption-settings command-line tool can be used to manage the encryption
settings database, including creating, deleting, exporting, and importing encryption-settings
definitions, listing the available definitions, and indicating which definition should be used
for subsequent encryption operations.
Although the encryption-settings database can have multiple encryption-settings definitions, only one of them can be designated as the preferred definition. The preferred encryption-settings definition is the one that will be used for any subsequent encryption operations. Any existing data that has not yet been encrypted remains unencrypted until it is rewritten (e.g., as a result of a modify or modify DN operation, or if the data is exported to LDIF and re-imported). Similarly, if you introduce a new preferred encryption-settings definition, then any existing encrypted data will continue to use the previous definition until it is rewritten. If you do change the preferred encryption-settings definition for the server, then it is important to retain the previous definitions until you are confident that no remaining data uses those older keys.