Data Encryption allows to configure attribute encryption.
A description of each property follows.
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ attribute-encryption-include | ↓ encryption-properties |
| ↓ custom-provider-class | ↓ offline-reencryption |
| ↓ custom-provider-properties | ↓ previous-encryption-algorithm |
| ↓ enabled | ↓ use-defined-enc-algo-in-replication |
| ↓ encrypted-suffix | |
| ↓ encryption-algorithm |
| Description | Allows to define some attributes to encrypt in all entries that are under the defined suffixes. Defines one attribute to encrypt per attribute-encryption-include attribute value. The defined attribute is encrypted in all entries under the defined suffixes (using encrypted-suffix). No other attributes than the ones defined here are encrypted. If attribute-encryption-include is defined, encryption-algorithm may be defined to tell the encryption algorithm to use. |
|---|---|
| Default Value | None |
| Allowed Values | The name of an attribute type defined in the server schema. |
| Multi-valued | Yes |
| Required | No |
| Admin Action Required | None. Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data. If changes are made, one should export and re-import data, to have encrypted attributes consistent with the configuration or configure reentrant scheduled task, to re-encrypt encrypted attributes consistent with the configuration in online mode. |
| Advanced Property | No |
| Read-only | No |
| Description | Specifies the fully qualified name of the class for the data encryption custom provider. Data Encryption. Specifies the fully qualified name for the class of the data encryption custom provider. |
|---|---|
| Default Value | None |
| Allowed Values | A String |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None |
| Advanced Property | No |
| Read-only | No |
| Description | Custom provider properties |
|---|---|
| Default Value | None |
| Allowed Values | A String |
| Multi-valued | Yes |
| Required | No |
| Admin Action Required | None. Custom provider properties |
| Advanced Property | No |
| Read-only | No |
| Description | Indicates whether the Data Encryption is enabled. |
|---|---|
| Default Value | false |
| Allowed Values | true false |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None. Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data. If changed, one should export and re-import data, to have encrypted attributes consistent with the configuration or configure reentrant scheduled task, to re-encrypt encrypted attributes consistent with the configuration in online mode. |
| Advanced Property | No |
| Read-only | No |
| Description | Allows to define the suffixes in which the encryption should occur. The attribute encryption occurs only on entries that are under the suffixes defined here. If no suffix is specified, any available suffix in the server is subject to encryption. Warning: this must be a suffix (supported by a backend) and not any DN. For instance if you have a backend with dc=example,dc=com as a suffix, you can specify to encrypt all entries under dc=example,dc=com but not under ou=people,dc=example,dc=com only. |
|---|---|
| Default Value | None |
| Allowed Values | A valid DN. |
| Multi-valued | Yes |
| Required | No |
| Admin Action Required | None. Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data. If changes are made, one should export and re-import data, to have encrypted attributes consistent with the configuration or configure reentrant scheduled task, to re-encrypt encrypted attributes consistent with the configuration in online mode. |
| Advanced Property | No |
| Read-only | No |
| Description | Algorithm used for attribute encryption. This specifies the algorithm used for attribute encryption. The default algorithm is aes-256-gcm. |
|---|---|
| Default Value | None |
| Allowed Values | aes-128 - Value for the AES algorithm with a 128 bit key. aes-128-gcm - Value for the AES algorithm with a 128 bit key using GCM. aes-192-gcm - Value for the AES algorithm with a 192 bit key using GCM. aes-256 - Value for the AES algorithm with a 256 bit key. aes-256-gcm - Value for the AES algorithm with a 256 bit key using GCM. blowfish-128 - Value for the blowfish algorithm with a 128 bit key. rc4-128 - Value for the RC4 algorithm with a 128 bit key. triple-des-168 - Value for the 3DES algorithm with a 168 bit key. |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None. Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data. If changes are made, one should export and re-import data, to have encrypted attributes consistent with the configuration or configure reentrant scheduled task, to re-encrypt encrypted attributes consistent with the configuration in online mode. |
| Advanced Property | No |
| Read-only | No |
| Description | Optional Data Encryption properties that may contain initialization vector length in bits (iv-length-bits=96) and/or GCM tag length (gcm-tag-length=16). |
|---|---|
| Default Value | None |
| Allowed Values | A String |
| Multi-valued | Yes |
| Required | No |
| Admin Action Required | None. Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data. If changed, one should export and re-import data, to have encrypted attributes consistent with the configuration or configure reentrant scheduled task, to re-encrypt encrypted attributes consistent with the configuration in online mode. |
| Advanced Property | Yes |
| Read-only | No |
| Description | Allows to retain old behavior where attributes are stored in encrypted form after export and re-import of data. This configuration property used to retain the old behavior. If value is true, one should export and re-import data, to have encrypted attributes consistent with the configuration. Otherwise configure scheduled task to re-encrypt the data instead of export-import. |
|---|---|
| Default Value | false |
| Allowed Values | true false |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None. Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data. If changes are made, one should export and re-import data, to have encrypted attributes consistent with the configuration or configure reentrant scheduled task, to re-encrypt encrypted attributes consistent with the configuration in online mode. |
| Advanced Property | Yes |
| Read-only | No |
| Description | Algorithm used for attribute encryption or re-encryption. This specifies the algorithm used for attribute re-encryption. If no value present then no need of attribute re-encryption. If value set as 'NONE' then clear-text attributes will be re-encrypted using configured encryption algorithm. If value is old encryption algorithm then attributes will be re-encrypted consistent with the configuration. Any change in encryption-algorithm or encryption-properties configurations result into change in previous-encryption-algorithm configuration property. For example, 1. Change encryption-algorithm from AES-256-GCM to AES-128-GCM then previous-encryption-algorithm is set to "aes-256-gcm" 2. Change the multivalued encryption-properties to have iv-length-bits=96, gcm-tag-length=12 then previous-encryption-algorithm is populated with aes-256-gcm 3. Change the multivalued encryption-properties from iv-length-bits=96, gcm-tag-length=12 to iv-length-bits=128, gcm-tag-length=16 then previous-encryption-algorithm is populated with aes-256-gcm;iv-length-bits=96,gcm-tag-length=12 Above examples clarifies, change in encryption-algorithm or encryption-properties configuration value will automatically update the previous encryption algorithm configuration value hence it is not recommended to change encryption-algorithm or encryption-properties configuration property value frequently. If accidentally, previous-encryption-algorithm configuration property populated with incorrect value then indexed data present for encrypted attributes will not get cleaned up during re-encryption. This configuration property is meaningful if offline-reencryption set to false. |
|---|---|
| Default Value | None |
| Allowed Values | A String |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None. Changes to this setting take effect after the change is made in the encryption algorithm and/or encryption properties. It is not retroactively applied to existing data. This setting indicates the re-encryption of encrypted attributes is in progress. Configure reentrant scheduled task, to re-encrypt encrypted attributes consistent with the configuration in online mode. |
| Advanced Property | Yes |
| Read-only | No |
use-defined-enc-algo-in-replication
| Description | Control encryption algorithm to be used during replication changed log generation. If value is true, and all instances of OUD are running the same version, then change-log is generated using the configured encryption algorithm and the same is replicated to other instances. By default (value false) behavior change-log is encrypted using previous encryption algorithm. |
|---|---|
| Default Value | false |
| Allowed Values | true false |
| Multi-valued | No |
| Required | No |
| Admin Action Required | None. Changes to this setting only affect change-log generation after changes to encrypted attributes are made, regardless of whether the OUD version is the same or different. It is not retroactively applied to existing data. Configure reentrant scheduled task, to re-encrypt encrypted attributes consistent with the data encryption configuration without OUD instnace downtime. |
| Advanced Property | Yes |
| Read-only | No |