Federal Information Processing Standard (FIPS) regulates cryptography and
the use of cryptographic libraries. Lotus Domino and Notes 8.0.1 (32-bit
Microsoft Windows platform only) now ships with a FIPS 140-2 certified
cryptographic library. Described below are two scenarios for deploying
FIPS 140-2 certified ID encryption and mail/document encryption.
Scenario 1: Deploying FIPS 140-2 certified Notes ID and document encryption
for all users in a domain
In this scenario, an agency of the US Federal Government has a mandate
to use FIPS-certified cryptographic libraries for encryption of all user
IDs and confidential e-mail and documents throughout a domain. The agency
has Domino 7.0.3 servers and Notes 6.5.4 clients, all deployed on the 32-bit
Windows platform. The agency will perform the following steps.
1. Upgrade all the Domino servers and Notes
clients in the domain to release 8.0.1. For more information, see
the infocenter topic
IBM
Lotus Notes and Domino 8 Deployment Guide.
2. Use a Security Settings document and policy
to use AES to encrypt the ID files of all users. Select "Mandated
encryption standards" using 128-bit AES encryption, so that the IDs
are automatically and silently encrypted with AES, and users are required
to use AES when changing passwords. Accept the default key derivation strength,
5000. Although 256-bit AES encryption is available, 128-bit encryption
is sufficiently strong for the foreseeable future, and 256-bit encryption
can cause delays on lower-end clients, currently. Assign the policy
to all users in the domain. For more information, see infocenter
topic
Configuring
encryption for ID files.
3. Rollover the IDs of all servers to the use
of 1024-bit or 2048-bit keys. 1024-bit or greater keys are required to
use a FIPS 140-2 approved algorithm for document and mail encryption. For
more information, see the infocenter topic
User
and server key rollover.
4. Rollover the IDs of all users to the use
of 1024-bit or 2048-bit keys. The new keys are protected by the AES encryption
mandated for the IDs in Step 2
above.
5. Use a Security Settings document and policy
to configure all users to use AES for mail and document encryption by choosing
the option "Use FIPS 140-2 algorithms for Notes encryption (requires
8.0.x or higher server and client)" in the Security Settings document.
Note that the use of this option would prevent clients running release
8.0 or an earlier release from decrypting mail and documents, but this
is not a concern because the agency has upgraded all servers and users
to release 8.0.1. For more information, see the infocenter topic
Configuring
AES for mail and document encryption.
Scenario 2: Deploying FIPS 140-2 certified Notes ID and document encryption
for a subset of users in a domain
In this scenario, an agency of the US Federal Government has a mandate
to implement FIPS-certified cryptographic libraries for encryption of user
ID files and confidential e-mail and documents over a period of time. As
a first step, the agency will implement this capability for a subset of
users in its domain. The agency currently has Domino 7.0.3 servers and
Notes 6.5.4 clients, all deployed on the 32-bit Windows platform. The
agency will perform the following steps.
1. Upgrade the Domino home servers and Notes
clients of the subset of users in the domain to release 8.0.1. For more
information, see the
IBM
Lotus Notes and Domino 8 Deployment Guide.
2. Use a Security Settings document and policy
to use AES to encrypt the ID files of the subset of users. Select "Mandated
encryption standards" using 128-bit AES encryption, and accept the
default key derivation strength, 5000. Although 256-bit AES encryption
is available, 128-bit encryption is sufficiently strong for the foreseeable
future, and 256-bit encryption can cause delays on lower-end clients, currently.
Assign the policy only to the subset of users in the domain. For
more information, see the infocenter topic
Configuring
encryption for ID files.
3. Rollover the IDs of the home servers of the
subset of users to the use of 1024-bit or 2048-bit keys. 1024-bit or greater
keys are required to use a FIPS 140-2 approved algorithm for document and
mail encryption. For more information, see the infocenter topic
User
and server key rollover.
4. Rollover the IDs of the subset of users to
the use of 1024-bit or 2048-bit keys. The new keys are protected by the
AES encryption mandated for the IDs in Step 2
above.
5. Use the "Encryption Capabilities"
tool in the Domino Administrator to select "Capable of decrypting
FIPS 140-2" for the subset of users. When these users encrypt mail
or documents, AES is used only if the Person documents of all of the recipients
specify "Capable of decrypting FIPS 140-2." For more information,
see the infocenter topic
Configuring
AES for mail and document encryption.