Deploying FIPS 140-2 certified ID and document encryption 

Federal Information Processing Standard (FIPS) regulates cryptography and the use of cryptographic libraries. Lotus Domino and Notes 8.0.1 (32-bit Microsoft Windows platform only) now ships with a FIPS 140-2 certified cryptographic library. Described below are two scenarios for deploying FIPS 140-2 certified ID encryption and mail/document encryption.

Scenario 1: Deploying FIPS 140-2 certified Notes ID and document encryption for all users in a domain
In this scenario, an agency of the US Federal Government has a mandate to use FIPS-certified cryptographic libraries for encryption of all user IDs and confidential e-mail and documents throughout a domain. The agency has Domino 7.0.3 servers and Notes 6.5.4 clients, all deployed on the 32-bit Windows platform. The agency will perform the following steps.

1. Upgrade all the Domino servers and Notes clients in the domain to release 8.0.1. For more information, see the infocenter topic IBM Lotus Notes and Domino 8 Deployment Guide.
2. Use a Security Settings document and policy to use AES to encrypt the ID files of all users. Select "Mandated encryption standards" using 128-bit AES encryption, so that the IDs are automatically and silently encrypted with AES, and users are required to use AES when changing passwords. Accept the default key derivation strength, 5000. Although 256-bit AES encryption is available, 128-bit encryption is sufficiently strong for the foreseeable future, and 256-bit encryption can cause delays on lower-end clients, currently. Assign the policy to all users in the domain. For more information, see infocenter topic Configuring encryption for ID files.
3. Rollover the IDs of all servers to the use of 1024-bit or 2048-bit keys. 1024-bit or greater keys are required to use a FIPS 140-2 approved algorithm for document and mail encryption. For more information, see the infocenter topic User and server key rollover.
4. Rollover the IDs of all users to the use of 1024-bit or 2048-bit keys. The new keys are protected by the AES encryption mandated for the IDs in Step 2 above.
5. Use a Security Settings document and policy to configure all users to use AES for mail and document encryption by choosing the option "Use FIPS 140-2 algorithms for Notes encryption (requires 8.0.x or higher server and client)" in the Security Settings document. Note that the use of this option would prevent clients running release 8.0 or an earlier release from decrypting mail and documents, but this is not a concern because the agency has upgraded all servers and users to release 8.0.1. For more information, see the infocenter topic Configuring AES for mail and document encryption.

Scenario 2: Deploying FIPS 140-2 certified Notes ID and document encryption for a subset of users in a domain
In this scenario, an agency of the US Federal Government has a mandate to implement FIPS-certified cryptographic libraries for encryption of user ID files and confidential e-mail and documents over a period of time. As a first step, the agency will implement this capability for a subset of users in its domain. The agency currently has Domino 7.0.3 servers and Notes 6.5.4 clients, all deployed on the 32-bit Windows platform. The agency will perform the following steps.
1. Upgrade the Domino home servers and Notes clients of the subset of users in the domain to release 8.0.1. For more information, see the IBM Lotus Notes and Domino 8 Deployment Guide.
2. Use a Security Settings document and policy to use AES to encrypt the ID files of the subset of users. Select "Mandated encryption standards" using 128-bit AES encryption, and accept the default key derivation strength, 5000. Although 256-bit AES encryption is available, 128-bit encryption is sufficiently strong for the foreseeable future, and 256-bit encryption can cause delays on lower-end clients, currently. Assign the policy only to the subset of users in the domain. For more information, see the infocenter topic Configuring encryption for ID files.
3. Rollover the IDs of the home servers of the subset of users to the use of 1024-bit or 2048-bit keys. 1024-bit or greater keys are required to use a FIPS 140-2 approved algorithm for document and mail encryption. For more information, see the infocenter topic User and server key rollover.
4. Rollover the IDs of the subset of users to the use of 1024-bit or 2048-bit keys. The new keys are protected by the AES encryption mandated for the IDs in Step 2 above.
5. Use the "Encryption Capabilities" tool in the Domino Administrator to select "Capable of decrypting FIPS 140-2" for the subset of users. When these users encrypt mail or documents, AES is used only if the Person documents of all of the recipients specify "Capable of decrypting FIPS 140-2." For more information, see the infocenter topic Configuring AES for mail and document encryption.