Emmanuel Lecharny wrote:
> as I need to rewrite the serialization for ServerEntry, 
> ServerAttribute, ServerValue, DN, RDN and AttributeTypeAndValue, I 
> have had some ideas, and I would like to know your opinion :
>
> - what about adding a flag to tell the serialization methods (those 
> classes are Externalizable) to encrypt/decrypt the data on disk ? Tis 
> would be a much better solution than to define an encryption option to 
> be added to all the attributes (like "cn;encrypted=fR5*za"). All the 
> data will be encrypted before being serialized to disk. It would be 
> off by default, of course
To make the encryption cryptographically sound, the message to be 
encrypted must be sufficiently random. In a scheme where each entry is 
encrypted individually, this requires an initialization vector (i.e. 
some random bits) which amounts to relatively high percentage of wasted 
space. A scheme where the encryption happens in larger chunks (e.g. 
B-Tree nodes or pages) will typically have better "randomness" in the 
first place and reduce the space wasted by the iv.
I don't know how the storage engine works at the bottom end, but I'd 
guess that this would be a better place to do encryption.

Joerg Henne