Cipher Algorithms

The Directory Server supports encryption cipher suites that are compliant with the Java virtual machine (JVM) in which the server is running. When configuring encryption, you must specify the cipher using a key length in bits and either a cipher algorithm name, such as AES, or a full cipher transformation that explicitly specifies the mode and padding to use for the encryption, such as AES/CBC/ PKCS5Padding. If only a cipher algorithm is given, then the default mode and padding for that algorithm is automatically selected.

The following cipher algorithms and key lengths have been tested using the Oracle JVM.

Cipher Algorithms and key length
Cipher Algorithm Key Length (bits)












By default, some JVM implementations come with limited encryption strength, which might restrict the usable key lengths. For example, the Oracle JVM does not allow AES with 192-bit or 256-bit keys unless you download and install the unlimited encryption strength policy files.

For specific reference information about the algorithms and transformations available in all compliant JVM implementations, see the Java Cryptography Architecture Reference Guide and Java Cryptography Architecture Standard Algorithm Name Documentation documentation.

Cipher Stream Providers

Directory Server supports the following Cipher Stream Providers, which are used to obtain cipher input and output streams to read and write encrypted data.

Cipher Stream Providers and their descriptions
Cipher Stream Providers Description


Default cipher stream provider using a hard-coded default key.


Reads a specified file in order to obtain a password used to generate cipher streams for reading and writing encrypted data.


Provides cipher stream provider implementations created in third-party code using the Server SDK.


Causes the server to wait for an administrator to enter a passphrase to use to derive the key for cipher streams. To supply the passphrase to the server, run encryption-settings supply-passphrase.