A minimal level of support would be for a SecretKey to be provided to the realm as it is initialised.
We should consider the level of encryption required and different levels could have different policies.
- Encryption of credentials.
- Encryption of attributes.
- Complete obfuscation of the username.
As realms already exist the tool could have a utility added to take a clear text realm and convert.