You can encrypt data during an LDIF export and digitally sign the LDIF file.
The PingDirectory server provides features to encrypt data
You can use the export-ldif tool with the --promptForEncryptionPassphrase, --encryptionPassphraseFile, and --encryptionSettingsDefinitionID arguments to specify which key to use for encrypting the export. The import-ldif tool automatically detects encryption and compression and has --promptForEncryptionPassphrase, --encryptionPassphraseFile options as well.
The PingDirectory server also provides an additional argument that digitally signs the contents of the LDIF file, which ensures that the content has not been altered since the export. To digitally sign the contents of the exported LDIF file, use the export-ldif --sign option. To allow a signed LDIF file to be imported onto the same instance or another server in the same topology, use the import-ldif --isSigned option.
There is little added benefit to signing and encrypting the same data because encrypted data cannot be altered without destroying the ability to decrypt it.