This issue can be started once
OPENDJ-2615 has been completed and can be closed once the pluggable backend has full support for encrypting id2entry, substring index ID lists, and hashing equality and approx index keys.
Enabling this feature should not have a dramatic impact on performance, although some impact is expected (10% or so?).
Use the CryptoManager for generating confidential content. It will also manage key generation and distribution, which is important for functionality like binary copy (backup on one server and restore on another).
Take a look at AESPasswordStorageScheme for inspiration. Note how the crypto manager embeds the key identifier in encrypted content.