We are using attributeLevelEncrypt feature enforced in the directory.xml file for password hint attribute which stores questions and answers. Looks like the algorithm used is RC2 likely combined with a secret entered during the idm install. IDM has the ability to decrypt the values of the encrypted attribute via modifications to the directory.xml file and that is documented.

Rather than going through IME udpated via directory xml, is there a command line approach to decrypt the pvq attribute data?  

We did this a while ago using either dxsearch or dxdump however I am not sure if anything like this is possible with the IDM 14.x versions.  Reason for my question is that in the dev environment I would like to see if the actual question is being stored in the attribute or just the pointer to the resource bundle specifying the question.

Release : 14.2

Component : IdentityMinder(Identity Manager)

CA Directory by default only (and only) encrypts 'userPassword' value. Any other attributes (i.e. the value that gets stored within that attributes) needs to be encrypted from application layer and presented to CA Directory DSA to store.

e.g. in this case security question/answer. The value whatever the user enters, has to be encrypted by IDM layer and later on it gets stored in CA Directory.

directoy.xml is not utilized by CA Directory.  If yes, also.. that has no relation to CA Directory side of the setup except IDM telling it's self where the DSA is, what is the user to bind with.

There is not a command to decrypt the values.  You will need to update the directory.xml.