Configuring encryption for ID files
Any ID used with the current HCL Notes® client benefits from the strong security provided by AES encryption.
About this task
The following options are available for ID file encryption:
- Compatible with all releases (64 bit RC2)
- Compatible with release 6 and later (128 bit RC2)
- Compatible with release 8 and later (128 bit AES)
- Compatible with release 8 and later (256 bit AES)
- Compatible with release 9 and later (128 bit AES and SHA-256)
- Compatible with release 9 and later (256 bit AES and SHA-512)
Perform the following steps to configure ID file encryption:
Procedure
- In the HCL Domino® Administrator client, create a new Security Settings document, or open an existing one.
- Click Password Management and in
the ID File Encryption Settings section, select
one of the following options:
- To use one encryption standard to silently and automatically encrypt the ID files of the users to whom this policy applies, next to Mandated encryption standard, select one encryption standard from the list. The setting you select will be the only one available in the Encryption Strength field of the Notes® client Change Password dialog box.
- To provide users a choice of encryption standard to use the next time they change their passwords, click Allowed encryption standards and select two or more standards from the list. Users select the standard during the process of changing their passwords. Use this option if users run multiple versions of Notes® and you want to allow them to choose the highest encryption level possible for their versions.
- Specify the number of iterations for key derivation strength. Key derivation strengthening is a technique used to make it more costly for malicious attackers to guess likely passwords through a brute force dictionary attack. They work by increasing the time it takes to generate a key from a password. The value for this field is the number of times an HMAC algorithm is applied as part of the operation that generates a key from the password. Specifying a larger number for this value increases the duration of each attempt during a dictionary attack. The default setting for this field is 30,000, which is acceptable in most environments. Organizations with higher security requirements may wish to specify a higher value.
- Save the Security Settings document and assign it to a policy, if you have not already done so.
Example
- All of the Notes® users associated with the policy are running Notes® 8 or later, so you select one of the AES encryption options in the Mandated encryption standard field so that standard is used by all Notes® users.
- Users associated with this policy run Notes® releases earlier than 8. Select Compatible with release 6 and later (128 bit RC2) and one of the AES encryption standards, for example, Compatible with release 8 and later (128 bit AES) in the Allowed encryption standards field. Then users can select the encryption standard suitable for their versions of Notes®.