Show Table of Contents
10.7. Exporting and Importing an Encrypted Database
Exporting and importing encrypted databases is similar to exporting and importing regular databases. However, the encrypted information must be decrypted when you export the data and re-encrypted when you re-import it to the database.
10.7.1. Exporting an Encrypted Database
To export data from an encrypted database, pass the
-E
parameter to the db2ldif
script. The script uses the password stored in the Directory Sever configuration to decrypt the database.
To encrypt a complete database:
# db2ldif -Z instance_name -n database_name -E -a /tmp/data.ldif
Alternatively, you can export only a specific subtree. For example, to export all data from the
ou=People,dc=example,dc=com
entry into the /tmp/export.ldif
file:
# db2ldif -Z instance_name -n database_name -E -s "ou=people,dc=example,dc=com" \ -a /tmp/data.ldif
Important
The
db2ldif
script exports the content using the operating system account of the Directory Server instance. Therefore, this account must be able to write to the file set in the -a
option.
10.7.2. Importing an LDIF File into an Encrypted Database
To import data to a database when encryption is enabled:
- Stop the Directory Server instance:
# systemctl stop dirsrv@instance_name
- If you replaced the certificate database between the last export and this import, edit the
/etc/dirsrv/slapd-instance_name/dse.ldif
file and remove the following entries including their attributes:cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
cn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
Important
Remove the entries for all databases. If any entry that contains thensSymmetricKey
attribute is left in the/etc/dirsrv/slapd-instance_name/dse.ldif
file, Directory Server will fail to start. - Import the LDIF file. For example:
# ldif2db -Z instance_name -n database_name -E -i /tmp/data.ldif
The-E
parameter enables the script to encrypt attributes configure for encryption during the import. - Start the instance:
# systemctl start dirsrv@instance_name