10.4. Configuring Attribute Encryption Using the Command Line

  1. Run the ldapmodify command:
    # ldapmodify -a -D "cn=Directory Manager" -W -p 389 -h server.example.com -x
  2. Add an encryption entry for the attribute being encrypted. For example, this entry encrypts the telephoneNumber attribute with the AES cipher:
    dn: cn=telephoneNumber,cn=encrypted attributes,cn=Database1,cn=ldbm database,cn=plugins,cn=config
    changetype: add
    objectclass: top
    objectclass: nsAttributeEncryption
    cn: telephoneNumber
    nsEncryptionAlgorithm: AES
  3. For existing attributes in entries to be encrypted, the information must be exported, then re-imported. See Section 10.7, “Exporting and Importing an Encrypted Database”.
For more information on attribute encryption configuration schema, see "Database Attributes under cn=attributeName,cn=encrypted attributes,cn=database_name,cn=ldbm database,cn=plugins,cn=config" in the Red Hat Directory Server Configuration, Command, and File Reference.