Encryption "at rest" is a business requirement

CA Directory

CA Directory and Oracle directory comparison

CA Directory, by design, does not natively encrypt its on-disk data files. This is not an oversight or limitation, but rather a deliberate architectural decision made to keep the product extremely fast and lightweight. CA Directory has a long history in the telecommunications and carrier space where performance and reliability at very large scale are critical, and where functions like encryption at rest are traditionally handled by the operating system or the underlying storage infrastructure (e.g. LUKS, BitLocker, ZFS, SAN/NAS-level encryption). This approach allows CA Directory to sustain extremely high throughput with sub-millisecond response times, even under heavy read/write workloads, while still giving customers the flexibility to apply the encryption standard or technology that best fits their environment.

By contrast, for example Oracle has historically embedded such features directly into its database and directory products. This comes from Oracle's philosophy of re-implementing OS-level functionality inside the database stack for portability across platforms and a "one-stop shop" security story. While this makes for a simpler checkbox answer, it introduces performance overhead and vendor lock-in, since the customer is required to use Oracle's encryption mechanisms rather than customer enterprise's preferred, standardized ones.

With CA Directory a customer is not tied to a proprietary approach. Many of our customers - including governments, banks, and Tier-1 telcos - meet strict compliance requirements (PCI DSS, HIPAA, GDPR) by combining CA Directory with filesystem or volume-level encryption. Solutions such as fscrypt, LUKS, BitLocker, or storage-appliance encryption all integrate seamlessly without degrading CA Directory's core performance advantage.

All in all:  
- "At rest": CA Directory relies on OS or infrastructure encryption, which a customer free to align with their enterprise standards.
- "In transit": All directory communication can be fully secured with TLS/SASL.
- "Performance & scale": CA Directory remains one of the fastest, most scalable LDAP servers available, trusted for environments with millions of concurrent identities.