I met customer a month ago. I told him that OpenDJ Data Confidentiality feature can be enabled on a per database backend basis to encrypt LDAP entries before being stored to disk in OpenDJ 3.x. There's a blog by Ludo that explains the feature in detail.
However, customer is still on OpenAM 11.0.3. There might be compatibility issue.
Lucky am I. I just saw an article in ForgeRock Backstage.
In short, customer cannot proceed to integrate OpenAM 11.0.3 with OpenDJ 3.5.
By the way, saw that last line? "It is strongly recommended that you always upgrade to the latest maintenance releases for whichever versions of OpenAM and OpenDJ you have deployed."
Yes, easier said than done. There is always a tech-refresh cycle and a cost attached to each refresh. It's really not as simple as upgrade to the latest release as and when it's available.