Encryption protects data from unauthorized access.

Using Notes® and Domino®, you can encrypt:

• Messages sent to other users. Then an unauthorized user cannot read the message while it is in transit. You can also encrypt saved and incoming messages.
• Network ports. Encrypting information sent between a Notes workstation and a Domino server, or between two Domino servers, prevents unauthorized users from reading the data while it is in transit.
• Transactions over the Internet. You can use SSL to encrypt information sent between an Internet client, such as a Notes client, and an Internet server, to prevent unauthorized users from reading the data while it is in transit.
• Fields, documents, and databases. Application developers can encrypt fields within a document, an entire document, and local databases. Then only the specified users can read the information.

Public and private keys

Domino uses public and private keys so that data encrypted by one of the keys can be decrypted only by the other. The public and private keys are mathematically related and uniquely identify the user. Both are stored in the ID file. Within the ID file, the public key is stored in a certificate, but the private key is stored separately from the certificate. The certificate containing the public key is also stored in the Domino Directory, where it is available to other users.

Domino uses two types of public and private keys -- Notes and Internet. You use the Notes public key to encrypt fields, documents, databases, and messages sent to other Notes users, while the Notes private key is used for decryption. Similarly, you use the Internet public key for S/MIME encryption and the Internet private key for S/MIME decryption. For both Notes and Internet key pairs, electronic signatures are created with private keys and verified with public keys.

You can use one set of Internet public and private keys or you can set up Notes to use a set of Internet keys for S/MIME signatures and SSL and another set for S/MIME encryption.

When you register a user, Domino can automatically create a Notes certificate, which contains the user's public keys, and add it to the ID file and the Domino Directory. The private key is created and stored in the ID file. You can also create Internet public and private keys after user registration. Domino stores Internet certificates, which contain public keys, in the ID file and also in the Domino Directory. The Internet private key is stored in the ID file, separately from the certificate.

To create Notes public and private keys, Domino uses the dual-key RSA Cryptosystem and the RC2, RC4, and AES algorithms for encryption. To create the Internet public key, Domino uses the X.509 certificate format, which is an industry-standard format that many applications, including Domino, understand.

Both the Notes client and Domino server support registration of as many as:

• 4096-bit RSA keys for both Notes and Internet certifiers. You can also roll over existing Notes certifiers with smaller keys to 4096-bit keys;
• 2048-bit RSA keys for user and server certificates;
• 128-bit symmetric key for S/MIME and SSL.

Larger keys provide stronger security from hackers. For instance, it would be more difficult for a private key to be deciphered based on a public one. It would also be more difficult for someone to forge cryptographic signatures on documents, agents, forms, and email.

Encryption strength

The Domino server and the Domino Administrator, Domino Designer, and Notes client products use one strong encryption level -- Global. The Global release adopts the encryption characteristics previously known as North American. Strong encryption in Global products can be used worldwide, except in countries whose import laws prohibit it, or except in those countries to which the export of goods and services is prohibited by the U.S. government. Customers are not required to order Notes software according to cryptographic strength.

Encryption standards
HCL Domino observes a number of encryption standards, in particular, standards that are required or regulated by the Federal Information Processing Standard (FIPS).

Configuring encryption for ID files
Any ID used with the current HCL Notes client benefits from the strong security provided by AES encryption.

Mail encryption
Mail encryption protects messages from unauthorized access. Only the body of a mail message is encrypted; the header information such as text in the To, From, and Subject fields is not.

Configuring the level of port encryption and authentication
You can control the level of port encryption and authentication that is used on an HCL Domino server.

Electronic signatures
Electronic signatures are closely associated with encryption. An electronic signature verifies that the person who originated the data is the author and that no one has tampered with the data. Users can add an electronic signature to mail messages and to fields and sections of documents. A database designer controls whether or not users can sign fields and sections of a database can be signed; individual users can choose to sign mail messages.

Related concepts
Mail encryption
Dual Internet certificates for S/MIME encryption and signatures

Related tasks
Encrypting NRPC communication on a server port
Setting up SSL on a Domino server
User and server key rollover
Certificate authority key rollover
Creating a security policy settings document

Help on Help

All Help Contents

Help on Help