Skip to main content link. Accesskey S
  • Help
  • IBM Logo
  • IBM Notes and Domino wiki
  • All Wikis
  • All Forums
  • ANNOUNCEMENT: THIS WIKI IS READ-ONLY. Learn more...
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • IBM Redbooks
  • API Documentation
Search
Community Articles > Lotus Domino > Domino deployment scenarios > Deploying FIPS 140-2 certified ID and document encryption
  • Share Show Menu▼
  • Subscribe Show Menu▼

About the Original Author

Click to view profileKendra Bowker
Contribution Summary:
  • Articles authored: 264
  • Articles edited: 751
  • Comments Posted: 3

Recent articles by this author

IDVault_Max_Auth_Failure_Cache_Size

SMTPVerifyAuthenticatedSender

Linking from a Web page to a Notes document
Ever find yourself wanting to link to a Notes document from a Web page? Here's how you do it: 1. Open the Notes document to link to. 2. Rick-click and select Document Properties. 3. Click the second tab from the right and copy the contents of the Identifier field to your clipboard: 4. Paste the ...

Notes.inis P - Q - R - S
This is an index to Notes.ini information posted in the Wiki. It is updated almost constantly; check back if you don't see the Notes.ini for which you are looking. Better yet, create an article! Note: Notes.ini variables marked with an asterisk () are obsolete. See the article for that variable ...

Notes.inis M - N - O
This is an index to Notes.ini information posted in the Wiki. It is updated almost constantly; check back if you don't see the Notes.ini for which you are looking. Better yet, create an article! Note: Notes.ini variables marked with an asterisk () are obsolete. See the article for that variable ...
Community articleDeploying FIPS 140-2 certified ID and document encryption
Added by Kendra Bowker | Edited by IBM contributorKendra Bowker on August 29, 2008 | Version 6
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: encryption, FIPS

Federal Information Processing Standard (FIPS) regulates cryptography and the use of cryptographic libraries. Lotus Domino and Notes 8.0.1 (32-bit Microsoft Windows platform only) now ships with a FIPS 140-2 certified cryptographic library.  Described below are two scenarios for deploying FIPS 140-2 certified ID encryption and mail/document encryption.  

Scenario 1: Deploying FIPS 140-2 certified Notes ID and document encryption for all users in a domain
In this scenario, an agency of the US Federal Government has a mandate to use FIPS-certified cryptographic libraries for encryption of all user IDs and confidential e-mail and documents throughout a domain. The agency has Domino 7.0.3 servers and Notes 6.5.4 clients, all deployed on the 32-bit Windows platform. The agency will perform the following steps.
1.        Upgrade all the Domino servers and Notes clients in the domain to release 8.0.1.  For more information, see the infocenter topic IBM Lotus Notes and Domino 8 Deployment Guide.
2.        Use a Security Settings document and policy to use AES to encrypt the ID files of all users. Select "Mandated encryption standards" using 128-bit AES encryption, so that the IDs are automatically and silently encrypted with AES, and users are required to use AES when changing passwords. Accept the default key derivation strength, 5000. Although 256-bit AES encryption is available, 128-bit encryption is sufficiently strong for the foreseeable future, and 256-bit encryption can cause delays on lower-end clients, currently.  Assign the policy to all users in the domain.  For more information, see infocenter topic Configuring encryption for ID files.
3.        Rollover the IDs of all servers to the use of 1024-bit or 2048-bit keys. 1024-bit or greater keys are required to use a FIPS 140-2 approved algorithm for document and mail encryption. For more information, see the infocenter topic User and server key rollover.  
4.        Rollover the IDs of all users to the use of 1024-bit or 2048-bit keys. The new keys are protected by the AES encryption mandated for the IDs in Step 2 above.
5.        Use a Security Settings document and policy to configure all users to use AES for mail and document encryption by choosing the option "Use FIPS 140-2 algorithms for Notes encryption (requires 8.0.x or higher server and client)" in the Security Settings document. Note that the use of this option would prevent clients running release 8.0 or an earlier release from decrypting mail and documents, but this is not a concern because the agency has upgraded all servers and users to release 8.0.1. For more information, see the infocenter topic Configuring AES for mail and document encryption.

Scenario 2: Deploying FIPS 140-2 certified Notes ID and document encryption for a subset of users in a domain
In this scenario, an agency of the US Federal Government has a mandate to implement FIPS-certified cryptographic libraries for encryption of user ID files and confidential e-mail and documents over a period of time. As a first step, the agency will implement this capability for a subset of users in its domain. The agency currently has Domino 7.0.3 servers and Notes 6.5.4 clients, all deployed on the 32-bit Windows platform.  The agency will perform the following steps.
1.        Upgrade the Domino home servers and Notes clients of the subset of users in the domain to release 8.0.1. For more information, see the IBM Lotus Notes and Domino 8 Deployment Guide.
2.        Use a Security Settings document and policy to use AES to encrypt the ID files of the subset of users. Select "Mandated encryption standards" using 128-bit AES encryption, and accept the default key derivation strength, 5000. Although 256-bit AES encryption is available, 128-bit encryption is sufficiently strong for the foreseeable future, and 256-bit encryption can cause delays on lower-end clients, currently.   Assign the policy only to the subset of users in the domain.  For more information, see the infocenter topic  Configuring encryption for ID files.
3.        Rollover the IDs of the home servers of the subset of users to the use of 1024-bit or 2048-bit keys. 1024-bit or greater keys are required to use a FIPS 140-2 approved algorithm for document and mail encryption. For more information, see the infocenter topic User and server key rollover.  
4.        Rollover the IDs of the subset of users to the use of 1024-bit or 2048-bit keys. The new keys are protected by the AES encryption mandated for the IDs in Step 2 above.
5.        Use the "Encryption Capabilities" tool in the Domino Administrator to select "Capable of decrypting FIPS 140-2" for the subset of users. When these users encrypt mail or documents, AES is used only if the Person documents of all of the recipients specify "Capable of decrypting FIPS 140-2."  For more information, see the infocenter topic Configuring AES for mail and document encryption.
expanded Attachments (0)
collapsed Attachments (0)
expanded Versions (9)
collapsed Versions (9)
Version Comparison     
VersionDateChanged by              Summary of changes
10Jul 18, 2011, 11:15:41 AMAmy Smith  IBM contributor
9Nov 16, 2009, 3:21:47 PMAmy Smith  IBM contributor
8Dec 12, 2008, 5:41:16 PMAmy Smith  IBM contributor
7Oct 15, 2008, 11:29:51 AMSusanna Doyle  IBM contributor
This version (6)Aug 29, 2008, 1:35:48 PMKendra Bowker  IBM contributor
5Aug 29, 2008, 12:56:24 PMKendra Bowker  IBM contributor
2Aug 29, 2008, 12:19:52 PMKendra Bowker  IBM contributor
2Aug 29, 2008, 12:19:52 PMKendra Bowker  IBM contributor
1Jun 6, 2008, 11:47:05 AMAmy Smith  IBM contributor
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedHelpAbout
  • IBM Collaboration Solutions wikis
  • IBM developerWorks
  • IBM Software support
  • Twitter LinkIBMSocialBizUX on Twitter
  • FacebookIBMSocialBizUX on Facebook
  • ForumsLotus product forums
  • BlogsIBM Social Business UX blog
  • Community LinkThe Social Lounge
  • Wiki Help
  • Forgot user name/password
  • About the wiki
  • About IBM
  • Privacy
  • Accessibility
  • IBM Terms of use
  • Wiki terms of use