Lotus Domino Administrator 8.5 Help - Configuring encryption for ID files

SECURITY

Configuring encryption for ID files
The ID of any Notes client running Notes 8.0 or later can be encrypted using AES. Any ID used with Notes 8.0 or higher benefits from the strong security provided by AES encryption. You must use a Domino 8.0.1 or later server to implement AES for ID file encryption.

The following options are available for ID file encryption:

Compatible with all releases (64 bit RC2)
Compatible with release 6 and later (128 bit RC2)
Compatible with release 8 and later (128 bit AES)
Compatible with release 8 and later (256 bit AES)

Perform the following steps to configure ID file encryption:

1. In the Domino Administrator client, create a new Security Settings document, or open an existing one.

2. Click Password Management and in the ID File Encryption Settings section, select one of the following options:

To use one encryption standard to silently and automatically encrypt the ID files of the users to whom this policy applies, next to "Mandated encryption standard," select one encryption standard from the list. The setting you select will be the only one available in the Encryption Strength field of the Notes client Change Password dialog box.
To provide users a choice of encryption standard to use the next time they change their passwords, click "Allowed encryption standards" and select two or more standards from the list. Users select the standard during the process of changing their passwords. Use this option if users run multiple versions of Notes and you want to allow them to choose the highest encryption level possible for their versions.

3. Specify the number of iterations for key derivation strength. Key derivation strengthening is a technique used to make it more costly for malicious attackers to guess likely passwords through a brute force dictionary attack. They work by increasing the time it takes to generate a key from a password. The value for this field is the number of times an HMAC algorithm is applied as part of the operation that generates a key from the password. Specifying a larger number for this value increases the duration of each attempt during a dictionary attack. The default setting for this field is 5000, which is acceptable in most environments. Organizations with higher security requirements may wish to specify a higher value.

4. Save the Security Settings document and assign it to a policy, if you have not already done so.

Examples:

All of the Notes users associated with the policy are running Notes 8 so you select one of the AES encryption options in the"Mandated encryption standard" field so that standard is used by all Notes users.
Users associated with this policy run Notes releases 6, 7, or 8. Therefore you select "Compatible with release 6 and later (128 bit RC2)" and one of the AES encryption standards, for example, "Compatible with release 8 and later (128 big AES)" in the "Allowed encryption standards" field. Then users can select the encryption standard suitable for their versions of Notes.

Related topics

AES encryption

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary