Configuration Guide › LDAP User Store Management › User, Group and Organization Managed Object Descriptions › Managing Sensitive Attributes › Attribute-Level Encryption

Attribute-Level Encryption

You can encrypt an attribute in the user store by specifying an AttributeLevelEncypt data classification for that attribute in the directory configuration file (directory.xml). When attribute-level encryption is enabled, Identity Manager encrypts that attribute's value before storing it in the user store. The attribute is displayed as clear text in the User Console.

Note: Managing Sensitive Atttributes describes methods for displaying sensitive data in the User Console.

The attribute is encrypted using RC2 encryption or FIPS 140-2 encryption, if FIPS 140-2 support is enabled.

Before implementing attribute-level encryption, note the following:

• CA Identity Manager cannot find encrypted attributes in a search.

  If an encrypted attribute is added to a member, admin, or owner policy, or an identity policy, CA Identity Manager will not be able to correctly resolve the policy because it cannot search the attribute.

  Consider setting the attribute to searchable="false" in the directory.xml file—For example:

  <ImsManagedObjectAttr physicalname="title" description="Title" displayname="Title" valuetype="String" maxlength="0" searchable="false">

  <DataClassification name="AttributeLevelEncrypt"/>

  </ImsManagedObjectAttr>

• In implementations where the Identity Manager uses a shared user store and Provisioning Directory, do not encrypt attributes that are used by the Provisioning Server.
• If you enable attribute-level encryption for a user store that is used by applications other than Identity Manager, the other applications will not be able to use the encrypted attribute.