Encryption Keys; Encryption Ciphers - Red Hat DIRECTORY SERVER 7.1 - ADMINISTRATOR Administrator's Manual

Since the server pre-encrypts all index keys before looking up an index for an
encrypted attribute, there is some hit to server performance for searches that make
use of an encrypted index, but the effect is not serious enough to offset the benefits
of indexing entries.

Encryption Keys

In order to use database encryption, the server must be configured for SSL because
database encryption uses the server's SSL encryption key and the same PIN as SSL.
The PIN must either be entered manually upon server startup or a PIN file must be
used.
Randomly generated symmetric cipher keys are used to encrypt and decrypt
attribute data. A separate key is used for each configured cipher. These keys are
"wrapped" using the public key from the server's SSL certificate, and the resulting
wrapped key is stored within the server's configuration files. The effective strength
of the database encryption is never higher than the strength of the server's SSL key.
Without access to the server's private key, it is not possible to recover the
symmetric keys from the wrapped copies.
CAUTION There is no mechanism for recovering a lost key. Therefore, it is
especially important to backup the server's certificate database
safely. If the server s certificate were lost, it would not be possible to
decrypt any encrypted data stored in its database.
CAUTION If the SSL certificate is going to expire and needs to be renewed,
export the encrypted backend instance before renewing the
certificate. After the certificate is renewed, re-import the exported
LDIF file.

Encryption Ciphers

The following ciphers are supported for database encryption:
• Advanced Encryption Standard (AES)
• Triple Data Encryption Standard (3DES)
All ciphers are used in Cipher Block Chaining mode.
Creating and Maintaining Databases
Chapter 3 Configuring Directory Databases 99