10.6. General Considerations after Enabling Attribute Encryption

When you enable encryption for data that is already in the database:
  • Unencrypted data can persist in the server's database page pool backing file. To remove this data:
    1. Stop the instance:
      # systemctl stop dirsrv@instance_name
    2. Delete the /var/lib/dirsrv/slapd-instance_name/db/guardian file:
      # rm /var/lib/dirsrv/slapd-instance_name/db/guardian
    3. Start the instance:
      # systemctl start dirsrv@instance_name
  • After you enabled encryption and successfully imported the data, delete the LDIF file with the unencrypted data.
  • After enabling encryption, the Directory Server deletes and creates a new database when re-importing the data.
  • The replication log file is not encrypted. To protect this data, store it on an encrypted disk.
  • Data in the server's memory (RAM) is unencrypted and can be temporarily stored in swap partitions. To protect this data, set up encrypted swap space.

Important

Even if you delete files that contain unencrypted data, this data can be restored under certain circumstances.