Encrypting new attachment files with a private key

If you do not specify a key that multiple servers share to encrypt attachment objects, objects are encrypted on each server with a private key, by default.

About this task

Private key encryption is enabled by default, so you only need to complete this procedure to switch to using a private key after not using encryption or using a shared key.


  1. Open the Server document for the server on which to enable attachment object encryption.
  2. Click the DAOS tab.
  3. In the DAOS object encryption field, select Private to this server.
    Note: This option is the equivalent of the notes.ini setting DAOS_ENCRYPT_NLO=1 that was used prior to Domino 12.
  4. Select one of the following options:
    • Domino classic Use only if you may need to downgrade the server to a version prior to Domino 11.0.1.
    • AES-128 (Default and recommended). Starting in HCL Domino 12, this encryption is the default for newly created DAOS objects rather than Domino classic, the default in previous versions.
    • AES-256 Provides maximum security for DAOS objects but may result in a small decrease in performance. AES-128 provides strong security so AES-256 might not be worth the small performance decrease.
  5. Save the document.
  6. Restart Domino:
    restart server