Unlike backups and backend indexes, password encryption requires that the symmetric key is replicated. This is why we store it in cn=admin data today. However, it would be much better, from a portability point of view, if symmetric keys were co-located with the backend data that they protect. Where would we store it though? We could put the encrypted attributes in operation attributes in the base DN entry, similar to how we manage ds-sync-state.
Note that reversible password storage schemes are not recommended and are only used for deprecated legacy SASL mechanisms. Therefore, this issue would not normally be a high priority. However, along with
OPENDJ-6594 and OPENDJ-6741, it would allow us to completely remove cn=admin data in 7.0, hence it is flagged as critical for now.