Configuration Guide › LDAP User Store Management › User, Group and Organization Managed Object Descriptions › Managing Sensitive Attributes › Attribute-Level Encryption › How To Add Attribute-Level Encryption

How To Add Attribute-Level Encryption

When you add attribute-level encryption to an Identity Manager directory, Identity Manager automatically encrypts existing clear text attribute values when you save the object associated with the attribute. For example, if you encrypt the password attribute, Identity Manager encrypts the password when it saves a user's profile.

Note: To encrypt the attribute value, the task that you use to save the object must include the attribute. To encrypt the password attribute in the previous example, the password field must be added to the task you use to save the object, such as the Modify User task.

All new objects are created with encrypted values in the user store.

To add attribute-level encryption to an existing user store, you complete the following steps:

1. Complete one of the following:
   • Create a new Identity Manager directory
   • Update an existing directory by exporting the directory settings
2. Add the data classification, AttributeLevelEncrypt, to the attribute that you want to encrypt in the directory.xml file.

   For example:

   <ImsManagedObjectAttr physicalname="salary" displayname="Salary" description="salary" valuetype="String" required="false" multivalued="false" maxlength="0" searchable="false">
   <DataClassification name="AttributeLevelEncrypt"/>
   

3. If you created a new Identity Manager Directory, associate the directory with an environment.
4. To force Identity Manager to encrypt all values immediately, modify all objects using the Bulk Loader.

   Note: For more information about the Bulk Loader, see the Administration Guide.