A method and system for transparently encrypting (and decrypting) sensitive data stored in a directory (or other database) is provided. Sensitive data, a password for example, may be required by a client in a distributed data processing environment. When the database entry is created, the sensitive data received from a user, or more generally, a client, may be encrypted, and saved in the directory entry in encrypted form. Encryption of sensitive data may be performed in accordance with a predetermined set of policies. When the sensitive information is needed, it may be selectively delivered in encrypted or unencrypted form based on a policy in the set. Policies may include criteria external to the database, and interfaced to the database via a policy engine.