IDM & Encrypted Attributes

We have a customer who needs to store SSN in eDir. We are thinking about making it an Encrypted Attribute in 8.8, but we need to be able to use it for matching and provisioning to other systems. Is it possible to do matching on an EA, and is it possible for a driver to retrieve the clear text value to provision to other systems?

When IDM retrieves an EA. It's in the clear but suppressed in the trace. If the encryption policy requires "secure connections", which is a separate setting from storing the attributes encrypted, then you must use SSL with the remote loader or eDir driver.