The database contains any number of encryption-settings definitions that specifies information about the cipher transformation and encapsulates the key used for encryption and decryption.

Before enabling data encryption, you must create an encryption-settings definition. An encryption-settings definition specifies the cipher transformation to use to encrypt the data and encapsulates the encryption key.

Use the encryption-settings command-line tool to manage the encryption settings database, including:

  • Creating, deleting, exporting, and importing encryption-settings definitions
  • Listing the available definitions
  • Indicating which definition to use for subsequent encryption operations

Implementing encryption-settings definitions

Although the encryption-settings database can have multiple encryption-settings definitions, designate only one of them as the preferred definition. The preferred encryption-settings definition is the one used for any subsequent encryption operations. Any existing data that has not yet been encrypted remains unencrypted until it is rewritten, such as a result of a modify or modifyDN operation or if the data is exported to LDIF and re-imported. Similarly, if you introduce a new preferred encryption-settings definition, then any existing encrypted data continues to use the previous definition until it is rewritten. If you do change the preferred encryption-settings definition for the server, retain the previous definitions until you are confident that no remaining data uses those older keys.