Configuring AES for mail and document encryption

You can set up mail document encryption with AES through the use of a Security Settings document and a policy. You can also set AES encryption as the default method of encryption for S/MIME mail, with or without SHA-2 signing, using a NOTES.INI setting in a desktop policy.

Configuring AES for Notes® mail and document encryption in the current release

Before you begin

To use AES for mail and document encryption, user IDs must use 1024-bit or higher RSA keys.

Procedure

  1. In the Domino® Administrator client, create a new Security Settings document, or open an existing one.
  2. Click Keys and Certificates.
  3. In the Document/Mail Encryption Settings section, click Use FIPS 140-2 algorithms for Notes encryption (requires 8.0.x or higher server and client).
  4. Assign the settings to a policy.

Results

Following this procedure results in AES always being used for Notes mail and document encryption.

Configuring AES for S/MIME mail encryption with or without SHA-2 digested signing

Before you begin

To use AES for S/MIME encryption, user IDs must use 1024-bit or higher RSA keys.

Procedure

  1. In the Domino® Administrator client, create a new desktop settings document, or open an existing one.
  2. Click Add Settings, open the Desktop Settings dialog box and open the Custom Settings tab.
  3. Select Notes.ini.
  4. Select Edit List to open a panel that enables you to create a NOTES.INI setting and value pair.
  5. For AES default encryption, in the Item field, specify the following NOTES.INI setting: SMIME_FIRST_CHOICE_CONTENT_ENC_ALG
  6. In the Value field, specify the value for the setting. The value specifies the level of AES encryption or the level of SHA-2 and can be any one of the following:
    • AES_128
    • AES_192
    • AES_256
    If you do not set the SMIME_FIRST_CHOICE_CONTENT_ENC_ALG parameter, 3DES is used as the default.
    Tip: You can combine a value for AES with a value for SHA-2 (next step), separated by a colon.
  7. For SHA-2 digested S/MIME mail,, in the Item field, specify the following NOTES.INI setting: SMIME_CAPABILITIES_SEND
  8. In the Value field, specify the value for the setting. The value specifies the level of AES encryption or the level of SHA-2 and can be any one of the following:
    • SHA_256
    • SHA_512
    • SHA_384
    Note: If more than one SHA digest is in SMIME_CAPABILITES_SEND, the last in the list is the sender's default choice for signed S/MIME mail.
  9. Select Add/Modify Value.
  10. Click OK and Save & Exit.

Results

Following this procedure results in AES always being used for S/MIME mail encryption, with or without SHA-2 digested signatures, with a specified level for each setting.

Configuring AES for mail and document encryption in a mixed-release environment

About this task

If Domino® 8.0.1 or higher clients and servers interact with clients and servers running releases prior to 8.0.1, you use the "Encryption Capabilities" tool in the Domino® Administrator to configure AES document encryption capability on a per-user basis for those users who run at least 8.0.1.

Do not perform the following steps if you enabled mail and document encryption through a policy, because these settings will be ignored.

Procedure

  1. If the IDs of the 8.0.1 or higher users and servers do not use 1024-bit or higher RSA keys, roll over the keys to be 1024-bit or higher.
  2. In the Domino® Administrator client, click People & Groups.
  3. Select the names of 8.0.1 or higher users for whom you want to enable AES document and mail encryption.
  4. Click Tools > People > Encryption capabilities.
  5. Click Capable of decrypting FIPS 140-2.

Results

The Person documents for the users you specify have the field Can decrypt documents using FIPS 140-2 approved algorithms set to Yes. When these users encrypt documents or mail, the encryption algorithm that is used depends on the encryption capabilities of all the recipients who will decrypt the document or message:

  • If any recipient uses an ID with a 630-bit RSA key, or 64-bit RC2 document encryption keys are being used, then a 64-bit RC2 bulk data key is used to encrypt the document.
  • If all recipients use IDs with 1024-bit RSA keys or larger, but one or more have Person documents that are not configured withCan decrypt documents using FIPS 140-2 approved algorithms, or 128-bit RC2 document encryption keys are being used, then a 128-bit RC2 bulk data key is used to encrypt the document.
  • If all recipients use IDs with 1024-bit or higher RSA keys, and all have Person documents configured with Can decrypt documents using FIPS 140-2 approved algorithms, or 128 bit AES document encryption keys are being used, then 128-bit AES encryption is used to encrypt the document.
  • If all recipients use IDs with 4096-bit or higher RSA keys (not available for end-users in 8.0.1), then 256-bit AES encryption is used.