Database Encryption - Red Hat DIRECTORY SERVER 8.0 - ADMINISTRATION Administration Manual

Chapter 3. Configuring Directory Databases

3.2.3. Database Encryption

The Directory Server offers a number of mechanisms to secure access to sensitive data, such as
access control rules to prevent unauthorized users from reading certain entries or attributes within
entries and SSL to protect data from eavesdropping and tampering on untrusted networks. However,
if a copy of the server's database files should fall into the hands of an unauthorized person, they could
potentially extract sensitive information from those files. Because information in a database is stored in
plain text, some sensitive information, such as government identification numbers or passwords, may
not be protected enough by standard access control measures.
For highly sensitive information, this potential for information loss could present a significant security
risk. In order to remove that security risk, Directory Server allows portions of its database to be
encrypted. Once encrypted, the data are safe even in the event that an attacker has a copy of the
server's database files.
Database encryption allows attributes to be encrypted in the database. Both encryption and the
encryption cipher are configurable per attribute per backend. When configured, every instance of a
particular attribute, even index data, is encrypted for every entry stored in that database.
NOTE
To enable database encryption on an attribute with existing stored data, export the
database to LDIF first, then make the configuration change, then re-import the data to
the database. The server does not enforce consistency between encryption configuration
and stored data; therefore, pay careful attention that all existing data are exported before
enabling or disabling encryption.
Indexed attributes may be encrypted, and database encryption is fully compatible with indexing. The
contents of the index files that are normally derived from attribute values are also encrypted to prevent
an attacker from recovering part or all of the encrypted data from an analysis of the indexes.
Since the server pre-encrypts all index keys before looking up an index for an encrypted attribute,
there is some effect on server performance for searches that make use of an encrypted index, but the
effect is not serious enough that it is no longer worthwhile to use an index.
3.2.3.1. Encryption Keys
In order to use database encryption, the server must be configured for SSL and have SSL enabled
because database encryption uses the server's SSL encryption key and the same PIN input methods
as SSL. The PIN must either be entered manually upon server startup or a PIN file must be used.
Randomly generated symmetric cipher keys are used to encrypt and decrypt attribute data. A separate
key is used for each configured cipher. These keys are wrapped using the public key from the server's
SSL certificate, and the resulting wrapped key is stored within the server's configuration files. The
effective strength of the database encryption is never higher than the strength of the server's SSL
key used for wrapping. Without access to the server's private key, it is not possible to recover the
symmetric keys from the wrapped copies.
54