The encryption-settings database is a repository that holds information for encrypting and decrypting data.
The database contains any number of encryption-settings definitions that specifies information about the cipher transformation and encapsulates the key used for encryption and decryption.
Before enabling data encryption, you must create an encryption-settings definition. An encryption-settings definition specifies the cipher transformation to use to encrypt the data and encapsulates the encryption key.
Use the encryption-settings
command-line tool to manage the encryption
settings database, including:
- Creating, deleting, exporting, and importing encryption-settings definitions
- Listing the available definitions
- Indicating which definition to use for subsequent encryption operations
Implementing encryption-settings definitions
Although the encryption-settings database can have multiple encryption-settings
definitions, designate only one of them as the preferred definition. The preferred
encryption-settings definition is the one used for any subsequent encryption operations. Any
existing data that has not yet been encrypted remains unencrypted until it is rewritten,
such as a result of a modify
or modifyDN
operation or if
the data is exported to LDIF and re-imported. Similarly, if you introduce a new preferred
encryption-settings definition, then any existing encrypted data continues to use the
previous definition until it is rewritten. If you do change the preferred
encryption-settings definition for the server, retain the previous definitions until you are
confident that no remaining data uses those older keys.