Lotus Domino Administrator 8 Help

SECURITY

Encryption
Encryption protects data from unauthorized access. Using IBM® Lotus® Notes® and IBM® Lotus® Domino™, you can encrypt:

Messages sent to other users. Then an unauthorized user cannot read the message while it is in transit. You can also encrypt saved and incoming messages.
Network ports. Encrypting information sent between a Lotus Notes workstation and a Lotus Domino server, or between two Lotus Domino servers, prevents unauthorized users from reading the data while it is in transit.
Transactions over the Internet. You can use SSL to encrypt information sent between an Internet client, such as a Lotus Notes client, and an Internet server, to prevent unauthorized users from reading the data while it is in transit.
Fields, documents, and databases. Application developers can encrypt fields within a document, an entire document, and local databases. Then only the specified users can read the information.

For information on SSL encryption, see the topic Setting up SSL on a Domino Server.

For information on field, document, and database encryption, see IBM® Lotus® Domino™ Designer 8 Help.

Public and private keys

Lotus Domino uses public and private keys so that data encrypted by one of the keys can be decrypted only by the other. The public and private keys are mathematically related and uniquely identify the user. Both are stored in the ID file. Within the ID file, the public key is stored in a certificate, but the private key is stored separately from the certificate. The certificate containing the public key is also stored in the Lotus Domino Directory, where it is available to other users.

Lotus Domino uses two types of public and private keys -- Lotus Notes and Internet. You use the Lotus Notes public key to encrypt fields, documents, databases, and messages sent to other Lotus Notes users, while the Lotus Notes private key is used for decryption. Similarly, you use the Internet public key for S/MIME encryption and the Internet private key for S/MIME decryption. For both Lotus Notes and Internet key pairs, electronic signatures are created with private keys and verified with public keys.

You can use one set of Internet public and private keys or you can set up Lotus Notes to use a set of Internet keys for S/MIME signatures and SSL and another set for S/MIME encryption.

For information on dual Internet certificates, see the topic Dual Internet certificates for S/MIME encryption and signatures.

When you register a user, Lotus Domino can automatically create a Lotus Notes certificate, which contains the user's public keys, and add it to the ID file and the Lotus Domino Directory. The private key is created and stored in the ID file. You can also create Internet public and private keys after user registration. Lotus Domino stores Internet certificates, which contain public keys, in the ID file and also in the Lotus Domino Directory. The Internet private key is stored in the ID file, separately from the certificate.

To create Lotus Notes public and private keys, Lotus Domino uses the dual-key RSA Cryptosystem and the RC2 and RC4 algorithms for encryption. To create the Internet public key, Lotus Domino uses the X.509 certificate format, which is an industry-standard format that many applications, including Lotus Domino, understand.

Both the Lotus Notes client and Lotus Domino server support registration of up to:

4096-bit RSA keys for both Lotus Notes and Internet certifiers. You can also roll over existing Lotus Notes certifers with smaller keys to 4096-bit keys;
2048-bit RSA keys for user and server certificates;
128-bit symmetric key for S/MIME and SSL.

The Lotus Notes proprietary protocols support the use of 630-bit, 1024-bit, and 2048-bit keys for key exchange, signing, and authenticating user identity, and use 64- and 128-bit keys for bulk data encryption. The Lotus Notes proprietary protocols also support 2048-bit user keys, and can still use old keys (512-bit, 380-bit) that were created with earlier versions of Lotus Domino.

Larger keys provide stronger security from hackers. For instance, it would be more diffcult for a private key to be deciphered based on a public one. It would also be more difficult for someone to forge cryptographic signatures on documents, agents, forms, and email.

For more information about increasing key size for certifier, user, and server IDs using key rollover and the implications for compatibility with prior releases, see Creating a security policy settings document.

Encryption strength

The Lotus Domino server and the Lotus Domino Administrator, Lotus Domino Designer, and Lotus Notes client products use one strong encryption level -- Global. The Global release adopts the encryption characteristics previously known as North American. Strong encryption in Global products can be used worldwide, except in countries whose import laws prohibit it, or except in those countries to which the export of goods and services is prohibited by the U.S. government. Customers are not required to order Lotus Notes software according to cryptographic strength.

See also

User and server key rollover

Certificate authority key rollover

Mail encryption

Setting up SSL on a Domino server

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary