If the suffix on which you want to configure attribute encryption contains any entries whatsoever, you must first export the contents of that suffix to an LDIF file.
If the suffix contains encrypted attributes and you plan to re-initialize the suffix using the exported LDIF file, you can leave the attributes encrypted in the exported LDIF .
To enable encryption for an attribute, use this command:
$ dsconf create-encrypted-attr -h host -p port suffix-DN attr-name cipher-name
where cipher-name is one of the following:
des - DES block cipher
des3 - Triple-DES block cipher
rc2 - RC2 block cipher
rc4 - RC4 stream cipher
$ dsconf create-encrypted-attr -h host1 -p 1389 dc=example,dc=com uid rc4
Initialize the suffix with an LDIF file as described in Initializing a Suffix.
If you are importing the LDIF file using the dsadm import command, you must use the -y option. The dsconf import command does not require to use the -y option.
As the file is loaded and the corresponding indexes are created, all values of the specified attributes will be encrypted.