10.7. Exporting and Importing an Encrypted Database

Exporting and importing encrypted databases is similar to exporting and importing regular databases. However, the encrypted information must be decrypted when you export the data and re-encrypted when you re-import it to the database.

10.7.1. Exporting an Encrypted Database

To export data from an encrypted database, pass the -E parameter to the db2ldif script. The script uses the password stored in the Directory Sever configuration to decrypt the database.
To encrypt a complete database: 
# db2ldif -Z instance_name -n database_name -E -a /tmp/data.ldif
Alternatively, you can export only a specific subtree. For example, to export all data from the ou=People,dc=example,dc=com entry into the /tmp/export.ldif file: 
# db2ldif -Z instance_name -n database_name -E -s "ou=people,dc=example,dc=com" \
     -a /tmp/data.ldif

Important

The db2ldif script exports the content using the operating system account of the Directory Server instance. Therefore, this account must be able to write to the file set in the -a option.

10.7.2. Importing an LDIF File into an Encrypted Database

To import data to a database when encryption is enabled:
  1. Stop the Directory Server instance: 
    # systemctl stop dirsrv@instance_name
  2. If you replaced the certificate database between the last export and this import, edit the /etc/dirsrv/slapd-instance_name/dse.ldif file and remove the following entries including their attributes:
    • cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
    • cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config

    Important

    Remove the entries for all databases. If any entry that contains the nsSymmetricKey attribute is left in the /etc/dirsrv/slapd-instance_name/dse.ldif file, Directory Server will fail to start.
  3. Import the LDIF file. For example: 
    # ldif2db -Z instance_name -n database_name -E -i /tmp/data.ldif
    The -E parameter enables the script to encrypt attributes configure for encryption during the import.
  4. Start the instance: 
    # systemctl start dirsrv@instance_name