Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
10.3. Configuring Attribute Encryption
Use the command line or the web console to enable and disable attribute encryption for certain attributes.
10.3.1. Enabling Encryption of an Attribute Using the Command Line
링크 복사링크가 클립보드에 복사되었습니다!
To configure that Directory Server stores, for example,
telephoneNumber attributes in the userRoot database AES-encrypted:
- Optionally, to encrypt existing
telephoneNumberattributes, export the database. See Section 10.4.1, “Exporting an Encrypted Database”. - Enable AES encryption for the
telephoneNumberattribute in theuserRootdatabase:dsconf -D "cn=Directory Manager" ldap://server.example.com backend attr-encrypt --add-attr telephoneNumber userRoot
# dsconf -D "cn=Directory Manager" ldap://server.example.com backend attr-encrypt --add-attr telephoneNumber userRootCopy to Clipboard Copied! Toggle word wrap Toggle overflow - If you exported the database to encrypt also existing attributes, reimport the database. See Section 10.4.2, “Importing an LDIF File into an Encrypted Database”.
10.3.2. Enabling Encryption of an Attribute Using the Web Console
링크 복사링크가 클립보드에 복사되었습니다!
To configure that Directory Server stores, for example,
telephoneNumber attributes in the database AES-encrypted:
- Optionally, to encrypt existing
telephoneNumberattributes, export the database. See Section 10.4.1, “Exporting an Encrypted Database”. - Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Open the menu.
- Select the suffix entry.
- Open the Encrypted Attributes tab.
- Enter the name of the attribute to be encrypted.
- Click .
- If you exported the database to encrypt also existing attributes, reimport the database. See Section 10.4.2, “Importing an LDIF File into an Encrypted Database”.
10.3.3. Disabling Encryption for an Attribute Using the Command Line
링크 복사링크가 클립보드에 복사되었습니다!
To configure that Directory Server no longer stores, for example,
telephoneNumber attributes encrypted in the userRoot database:
- Optionally, to decrypt existing
telephoneNumberattributes, export the database. See Section 10.4.1, “Exporting an Encrypted Database”. - Disable encryption for the
telephoneNumberattribute in theuserRootdatabase:dsconf -D "cn=Directory Manager" ldap://server.example.com backend attr-encrypt --del-attr telephoneNumber userRoot
# dsconf -D "cn=Directory Manager" ldap://server.example.com backend attr-encrypt --del-attr telephoneNumber userRootCopy to Clipboard Copied! Toggle word wrap Toggle overflow - If you exported the database to decrypt existing attributes, reimport the database. See Section 10.4.2, “Importing an LDIF File into an Encrypted Database”.
10.3.4. Disabling Encryption of an Attribute Using the Web Console
링크 복사링크가 클립보드에 복사되었습니다!
To configure that Directory Server stores, for example,
telephoneNumber attributes in the database AES-encrypted:
- Optionally, to encrypt existing
telephoneNumberattributes, export the database. See Section 10.4.1, “Exporting an Encrypted Database”. - Open the Directory Server user interface in the web console. See Section 1.4, “Logging Into Directory Server Using the Web Console”.
- Select the instance.
- Open the menu.
- Select the suffix entry.
- Open the Encrypted Attributes tab.
- Click the button to the right of the
telephoneNumberattribute. - Click to confirm.
- If you exported the database to decrypt existing attributes, reimport the database. See Section 10.4.2, “Importing an LDIF File into an Encrypted Database”.
10.3.5. General Considerations after Enabling Attribute Encryption
링크 복사링크가 클립보드에 복사되었습니다!
When you enabled encryption for data that is already in the database:
- Unencrypted data can persist in the server's database page pool backing file. To remove this data:
- Stop the instance:
dsctl instance_name stop
# dsctl instance_name stopCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Delete the
/var/lib/dirsrv/slapd-instance_name/db/guardianfile:rm /var/lib/dirsrv/slapd-instance_name/db/guardian
# rm /var/lib/dirsrv/slapd-instance_name/db/guardianCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Start the instance:
dsctl instance_name start
# dsctl instance_name startCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- After you enabled encryption and successfully imported the data, delete the LDIF file with the unencrypted data.
- After enabling encryption, Directory Server deletes and creates a new database when reimporting the data.
- The replication log file is not encrypted. To protect this data, store it on an encrypted disk.
- Data in the server's memory (RAM) is unencrypted and can be temporarily stored in swap partitions. To protect this data, set up encrypted swap space.
Important
Even if you delete files that contain unencrypted data, this data can be restored under certain circumstances.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}