Show Table of Contents
10.7. Exporting and Importing an Encrypted Database
Exporting and importing encrypted databases is similar to exporting and importing regular databases. However, the encrypted information must be decrypted when you export the data and re-encrypted when you re-import it to the database.
10.7.1. Exporting an Encrypted Database
To export data from an encrypted database, pass the
-E parameter to the db2ldif script. The script uses the password stored in the Directory Sever configuration to decrypt the database.
To encrypt a complete database:
# db2ldif -Z instance_name -n database_name -E -a /tmp/data.ldif
Alternatively, you can export only a specific subtree. For example, to export all data from the
ou=People,dc=example,dc=com entry into the /tmp/export.ldif file:
# db2ldif -Z instance_name -n database_name -E -s "ou=people,dc=example,dc=com" \
-a /tmp/data.ldifImportant
The
db2ldif script exports the content using the operating system account of the Directory Server instance. Therefore, this account must be able to write to the file set in the -a option.
10.7.2. Importing an LDIF File into an Encrypted Database
To import data to a database when encryption is enabled:
- Stop the Directory Server instance:
# systemctl stop dirsrv@instance_name
- If you replaced the certificate database between the last export and this import, edit the
/etc/dirsrv/slapd-instance_name/dse.ldiffile and remove the following entries including their attributes:cn=AES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=configcn=3DES,cn=encrypted attribute keys,cn=database_name,cn=ldbm database,cn=plugins,cn=config
Important
Remove the entries for all databases. If any entry that contains thensSymmetricKeyattribute is left in the/etc/dirsrv/slapd-instance_name/dse.ldiffile, Directory Server will fail to start. - Import the LDIF file. For example:
# ldif2db -Z instance_name -n database_name -E -i /tmp/data.ldif
The-Eparameter enables the script to encrypt attributes configure for encryption during the import. - Start the instance:
# systemctl start dirsrv@instance_name
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.