NRPC port encryption supports forward secrecy using X25519

Support for forward secrecy ( using X25519 ( has been added to NRPC port encryption on the Domino 12 server.

When NRPC port encryption is enabled on a Domino 12 server, forward secrecy using X25519 is now enabled by default. The following table describes the NRPC encryption algorithms used based on the version of the NRPC client connecting to a Domino 12 server using the default algorithms. A client can be a Notes client or a Domino server replicating with the Domino 12 server.
Table 1. NRPC encryption algorithms used by client version
NRPC client version Algorithms used when connecting to Domino 12
Clients prior to V 9.0.1 FP7 RC4
  • V 9.0.1 FP7 and later FPs
  • V 10
  • V 11
128 bit AES-GCM for network encryption and integrity protection and 128 bit AES tickets
V 12 256 bit AES-GCM for network encryption and integrity protection, X25519 for forward secrecy, and 128 bit AES tickets.

Note that use of the PORT_ENC_ADV notes.ini setting to configure NRPC port encryption overrides the default behavior. If you currently use the PORT_ENC_ADV setting and want to enable X25519 for forward secrecy, add 32 to your current value for that setting. The client side of the network connection advertises which algorithms it supports, and the server selects the most secure combination that both client and server support based on the server-side notes.ini setting. For more information, see the topic PORT_ENC_ADV. (Note that PORT_ENC_ADV=0 is a valid setting that results in the disablement of all modern algorithms.)

We recommend enabling LOG_AUTHENTICATION=1 so you can see which algorithms are being used to authenticate and encrypt your NRPC traffic.