Lotus Domino Administrator 8.5 Help - Configuring AES for mail and document encryption

SECURITY

Configuring AES for mail and document encryption
To use AES for mail and document encryption, users and their home servers must use at least release 8.0.1 and their IDs must use 1024-bit or higher RSA keys. How you configure mail and document encryption with AES depends on whether you use a mixed-release environment that includes users and servers that run pre-8.0.1 releases of Notes and Domino.

Configuring AES for mail and document encryption in an 8.0.1-only environment

If all of the Notes users and Domino servers are running release 8.0.1 or higher, perform the following steps to set up mail document encryption with AES through the use of a Security Settings document and a policy. Following this procedure results in AES always being used for mail and document encryption.

Do not use this procedure if there are Notes clients or home servers running 8.0 or earlier releases, as they will be unable to decrypt AES-encrypted messages and documents, and when they attempt to do so will get the error "You cannot access portions of this document because it was encrypted and you do not have any of the keys."

1. If the IDs of the 8.0.1 or higher users and servers do not use 1024-bit or higher RSA keys, roll over the keys to be 1024-bit or higher.

2. In the Domino Administrator client, create a new Security Settings document, or open an existing one.

3. Click Keys and Certificates.

4. In the Document/Mail Encryption Settings section, click "Use FIPS 140-2 algorithms for Notes encryption (requires 8.0.x or higher server and client)."

5. Assign the settings to a policy.

Configuring AES for mail and document encryption in a mixed-release environment

If 8.0.1 or higher clients and servers interact with clients and servers running releases prior to 8.0.1, you use the "Encryption Capabilities" tool in the Domino Administrator to configure AES document encryption capability on a per-user basis for those users who run at least 8.0.1.

Do not perform these steps if you have enabled mail and document encryption through a policy (described above), because the settings below will be ignored.

1. If the IDs of the 8.0.1 or higher users and servers do not use 1024-bit or higher RSA keys, roll over the keys to be 1024-bit or higher.

2. In the Domino Administrator client, click People & Groups.

3. Select the names of 8.0.1 or higher users for whom you want to enable AES document and mail encryption.

4. Click Tools - People - Encryption capabilities.

5. Click "Capable of decrypting FIPS 140-2."

The Person documents for the users you specify have the field "Can decrypt documents using FIPS 140-2 approved algorithms" set to "Yes." When these users encrypt documents or mail, the encryption algorithm that is used depends on the encryption capabilities of all the recipients who will decrypt the document or message:

If any recipient uses an ID with a 630-bit RSA key, or 64-bit RC2 document encryption keys are being used, then a 64-bit RC2 bulk data key is used to encrypt the document.
If all recipients use IDs with 1024-bit RSA keys or larger, but one or more have Person documents that are not configured with "Can decrypt documents using FIPS 140-2 approved algorithms," or 128-bit RC2 document encryption keys are being used, then a 128-bit RC2 bulk data key is used to encrypt the document.
If all recipients use IDs with 1024-bit or higher RSA keys, and all have Person documents configured with "Can decrypt documents using FIPS 140-2 approved algorithms," or 128 bit AES document encryption keys are being used, then 128-bit AES encryption is used to encrypt the document.
If all recipients use IDs with 4096-bit or higher RSA keys (not available for end-users in 8.0.1), then 256-bit AES encryption is used.

Related topics

User and server key rollover

Mail encryption

AES encryption

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary