Making DAOS object encryption keys consistent
Use the DAOS Encryption Manager task (daosencmgr) to make all DAOS objects on a server use the same encryption strength and encryption keys.
About this task
- List information about the encryption keys in use for all DAOS objects associated with a Domino server.
- Convert object encryption keys to match the DAOS object encryption settings in the DAOS tab of the Server document in the Domino directory, if they don't currently match.
For example, use daosencmgr to re-encrypt objects with a shared encryption key so that objects can be used on any server that is configured to use the same shared key. A shared encryption key makes it possible to copy objects from one server to another or to use a single backup for multiple Domino servers.
It's likely that you'll use daosencmgr for a limited time and won't need to run it regularly after keys are converted to match the Server DAOS object encryption settings.
| Option | Description |
|---|---|
| list -O <outfile> all |
Lists the following information at the server console:
Use the all option to list, in addition, the tier 2 objects in S3 storage that don't match the server's current DAOS encryption settings. If there are many tier 2 objects, the command may take a long time to complete. Use the -O <outfile> option to list the DAOS object files that are output in a file rather than at the server console. Specify an explicit file path or a file path relative to the data directory. |
| convert-O <outfile> -t <hours> -k <nlokey> -V |
Re-encrypts local objects on the server that don't match the
server's current DAOS object encryption settings to use the
configured encryption strength and encryption keys.
Note: Re-encryption of tier 2 objects
(objects in S3 storage) isn't supported. A message indicates if an object cannot be re-encrypted. This can occur if the encryption key is no longer available in the credential store, if the object is in tier 2 storage, or the current encryption information is otherwise unavailable. Use -t <hours> to run convert for a specified number of hours. If there are many objects requiring re-encryption, use this option to stagger the re-encryption in batches. Without -t there is no time limit. Use the -k <nlokey> option to re-encrypt a single .nlo file to match the server's current DAOS object encryption settings. Do not specify the .nlo extension. Use the -O <outfile> option to list the converted .nlo files in a file rather than at the server console. Specify an explicit file path or a file path relative to the data directory. Use the -V option to enable verbose output that displays the status of each attempted conversion. |
Example
- 1 DAOS object encryption settings in the Server document.
- 2 A summary of the encryption methods and keys that were used to encrypt DAOS objects on this server and the number of objects using each unique encryption method and key.
- 3 DAOS objects with keys that don't match DAOS object encryption settings and can be re-encrypted with convert. Grouped by encryption key identifier.
- 4 DAOS objects with keys that don't match the DAOS object encryption settings but that cannot be re-encrypted with convert.
