SECURING
Mail encryption protects messages from unauthorized access. Only the body of a mail message is encrypted; the header information such as text in the To, From, and Subject fields is not.
Notes® users can encrypt mail sent to other Notes users or to users of mail applications that support S/MIME -- for example, Microsoft™ Outlook Express®.
Users can use Notes mail encryption to encrypt mail sent to other Notes users, encrypt mail received from other Notes users, or encrypt all documents saved in a mail database. Notes uses the recipient's public key, which is stored in the sender's Contacts or in the Domino® Directory, to encrypt outgoing and saved mail.
In general, mail sent to users in a foreign domain cannot be encrypted. However, if the recipient of the mail uses Notes and the sender has access to the recipient's public key, the sender can encrypt the mail message. The recipient's public key can be stored in the Domino Directory, in an LDAP directory to which the sender has access, or in the sender's Contacts.
Notes users can also use S/MIME to encrypt mail sent to recipients who use mail applications that support S/MIME. Senders must have the recipient's public key in order to encrypt the message for S/MIME. The recipient's public key is stored in an Internet certificate in either a Domino Directory or LDAP directory to which the sender has access or in the sender's Contacts. The sender must also have a cross-certificate that indicates to Notes that the recipient's public key can be trusted.
Encrypting a message -- with either Notes mail encryption or S/MIME encryption -- does not affect the speed at which the message is routed from sender to recipient. However, encryption does increase the time required to send and to open a message. The extra time is required because the message must be encrypted at the beginning of the transmission and decrypted each time the recipient opens it. The time required to send and open a message is based on the size of the message and the number of bitmaps and other graphics, objects, and attachments in the message. In most cases, the delay is not noticeable.
How outgoing Notes mail encryption works
1. The sender sends an outgoing message and selects the Encrypt option.
2. Notes generates a random encryption key and encrypts the message with it.
3. Notes encrypts the random encryption key with the recipient's public key and appends the new key to the message. The recipient's public key must be stored in either a Domino Directory or LDAP directory that a user can access or in the sender's Contacts.
4. If the encrypted message is addressed to multiple recipients, the message is encrypted only once with one random key, and the random key is encrypted using the public key of each recipient.
5. When the recipient attempts to open the encrypted message, the user's mail application attempts to decrypt the random key, using the recipient's private key. If this is successful, the random key decrypts the message.
6. If decryption is successful, the recipient can read the message. If decryption is unsuccessful, the user receives a message indicating that the decryption failed and the mail application does not allow the user to access the message.
How outgoing S/MIME mail encryption works
1. The sender sends an outgoing message and selects to encrypt it. (The exact option to do this depends on the mail application used.)
2. The sender's mail application ( Notes or another S/MIME-compliant mail program) generates a random encryption key and encrypts the message with it.
3. The sender's mail application looks for the recipient's public key. For S/MIME mail sent from Notes, the recipient's Internet certificate must be stored in the sender's Contacts or a Domino Directory or LDAP directory to which the sender has access.
b. If no certificate for the recipient is found or if a cross-certificate is not created for the certificate, the sender receives a warning that encryption is not possible for this recipient. The sender is then given a choice of not sending the message or sending it unencrypted.
6. When the recipient attempts to open the encrypted message, the user's mail application attempts to decrypt the random key, using the recipient's private key. If this is successful, the random key decrypts the message.
7. If decryption is successful, the recipient gains access to the message. If decryption is unsuccessful, the user receives a message indicating that the decryption failed, and the mail application does not allow the user to access the message.
Configuring AES for mail and document encryption You can set up mail document encryption with AES through the use of a Security Settings document and a policy. You can also set AES encryption as the default method of encryption for S/MIME mail, with or without SHA-2 signing, using a NOTES.INI setting in a desktop policy.
Viewing the signing and encryption status of Notes mail There is an icon on the status bar that indicates the signing and/or encryption status of an open Notes mail message.
Using X.509 certificates for mail and document encryption You can set up the use of X.509 certificates for mail and document encryption for users who run Notes 8.0.1 or later. Messages retain the Notes format and full message fidelity. This configuration is particularly useful when smart cards are used.
Using S/MIME format when sending encrypted mail to mobile device users You can specify that encrypted mail sent to designated mobile device users such as Blackberry® users be converted to MIME and encrypted using S/MIME. This feature provides end-to-end encryption.
Related concepts Encryption
Related tasks Encrypting mail Adding an Internet certificate and cross-certificate for encrypted S/MIME messages