Using a shared key to encrypt DAOS objects across servers

Beginning with HCL Domino 12®, you can create a shared key that multiple servers that are enabled for DAOS can use to encrypt objects.

If you use DAOS tier 2 storage, using a shared key to encrypt objects across servers is useful for conserving tier 2 storage space. With use of a shared key, each unique DAOS attachment object resolves to a single object in tier 2 storage that all servers that encrypt the object with the shared key reference.

Even if you don't use tier 2 storage, using a shared key for object encryption may simplify your tier 1 backup strategy. In this case each unique attachment object has the same name and key, so only a single backup of an object is required and the object can be restored to any of the servers that use the shared key.

In the following figure, DAOS tier 2 is used without object sharing through a shared key. Each server uses a separate key to encrypt objects. Both copies of object 1, inactive on Server A and Server B in DAOS tier 1, are moved to tier 2.

When object sharing through a shared key is used, one copy of Object 1 from DAOS tier 1 is moved to tier 2, as shown in the following figure.

To enable encryption of DAOS objects with a shared key, you create a shared key in a credential store used by the servers. Either AES-128 or AES-256 encryption algorithm can be used. Then you modify the Server documents of the participating servers to enable encryption with the shared key.

If not all servers enabled for DAOS use the same credential store, you can export a shared key from one credential store and import it into another.

After you enable attachment objects to be encrypted with a shared key, when a DAOS object is created in tier 1 (on the local Domino server), it is encrypted with the shared key. Tier 1 objects created prior to enabling object sharing are encrypted with the shared key if they are pushed to tier 2 storage.

Because DAOS objects "age" independently across servers according to when they are last accessed on each server, one attachment object can be in tier 1 on some servers and tier 2 on others.

If all references to a tier 2 object that is encrypted with a shared key are deleted from a specific server, DAOS removes the tier 2 reference to the object for that server according to the DAOS setting Defer object deletion for n days. If this is the last server that referenced the object, the tier 2 object itself is deleted from tier 2 storage, and the object's life cycle is complete.

DAOS tracks which servers reference each tier 2 object and coordinates creation (pushing) and deletion (pruning) of the objects across the servers to avoid any race conditions.

Note: All servers that use a shared encryption key must run Domino 12 or later. Do not enable object encryption with shared keys on a Domino server that you may need to downgrade to a Domino pre-12 version.