The set of encryption ciphers that are supported by the Directory Server is limited to those ciphers supported by the JVM in which the server is running. For specific reference information about the algorithms and transformations available in all compliant JVM implementations, see the following:

  • Java Cryptography Architecture Reference Guide
  • Java Cryptography Architecture Standard Algorithm Name Documentation

When configuring encryption, the cipher to be used must be specified using a key length (in bits) and either a cipher algorithm name (e.g., "AES") or a full cipher transformation which explicitly specifies the mode and padding to use for the encryption (e.g., "AES/CBC/ PKCS5Padding"). If only a cipher algorithm is given, then the default mode and padding for that algorithm will be automatically selected.

The following cipher algorithms and key lengths have been tested using the Sun/Oracle JVM:

Cipher Algorithm Key Length (bits)
AES 128
Blowfish 128
DES 64
DESede 192
RC4 128
Note: By default, some JVM implementations may come with limited encryption strength, which may restrict the key lengths that can be used. For example, the Sun/Oracle JVM does not allow AES with 192-bit or 256-bit keys unless the unlimited encryption strength policy files are downloaded and installed.
The Directory Server supports four Cipher Stream Providers, which are used to obtain cipher input and output streams to read and write encrypted data.
Cipher Stream Providers Description
Default Default cipher stream provider using a hard-coded default key.
File-Based Used to read a specified file in order to obtain a password used to generate cipher streams for reading and writing encrypted data.
Third-Party Used to provide cipher stream provider implementations created in third-party code using the Server SDK.
Wait-for-Passphrase Causes the server to wait for an administrator to enter a passphrase that will be used to derive the key for cipher streams. You can supply the passphrase to the server by running encryption-settings supply-passphrase.