Cipher algorithms

The Directory Server supports encryption cipher suites that are compliant with the Java Virtual Machine (JVM) in which the server is running. When configuring encryption, you must specify the cipher using a key length in bits and either a cipher algorithm name, such as AES, or a full cipher transformation that explicitly specifies the mode and padding to use for the encryption, such as AES/CBC/ PKCS5Padding. If only a cipher algorithm is given, then the default mode and padding for that algorithm is automatically selected.

The following cipher algorithms and key lengths have been tested using the Oracle JVM.

Cipher algorithms and key length
Cipher Algorithm Key Length (bits)


128, 192, or 256









For specific reference information about the algorithms and transformations available in all compliant JVM implementations, see the Java Cryptography Architecture Reference Guide and Java Cryptography Architecture Standard Algorithm Name Documentation documentation.

Cipher stream providers

By default, setup generates a strong, random passphrase and writes it to a file. The server then uses a file-based cipher stream provider to read the passphrase and generate a key for encrypting the contents of the encryption settings database. However, the server supports additional cipher stream providers that use alternative means for unlocking the encryption settings database. Options include:

  • Require a passphrase to be interactively provided when the server is started, or any time an external process needs access to the encryption settings database.
  • Use a key stored in the Amazon Key Management Service (KMS).
  • Use a key stored in a HashiCorp Vault instance.
  • Use a key generated from a passphrase stored in the Amazon Secrets Manager service.
  • Use a key generated from a passphrase stored in the Azure Key Vault service.
  • Use a key generated from a passphrase stored in a CyberArk Conjur instance.
  • Use a key generated from a certificate stored in a PKCS #11 token.

For more information, see Configuring cipher stream providers.