Making DAOS object encryption keys consistent

Use the DAOS Encryption Manager task (daosencmgr) to make all DAOS objects on a server use the same encryption strength and encryption keys.

About this task

Domino 12 introduced shared encryption keys and AES-256 bit support for DAOS object encryption. Use daosencmgr, a Domino task introduced in Domino 12.0.2, to:
  • List information about the encryption keys in use for all DAOS objects associated with a Domino server.
  • Convert object encryption keys to match the DAOS object encryption settings in the DAOS tab of the Server document in the Domino directory, if they don't currently match.

For example, use daosencmgr to re-encrypt objects with a shared encryption key so that objects can be used on any server that is configured to use the same shared key. A shared encryption key makes it possible to copy objects from one server to another or to use a single backup for multiple Domino servers.

It's likely that you'll use daosencmgr for a limited time and won't need to run it regularly after keys are converted to match the Server DAOS object encryption settings.

At the server console, run load daosencmgr with the list or convert options:
Option Description
list -O <outfile> all
Lists the following information at the server console:
  • The DAOS encryption settings configured in the Server document.
  • The types of object encryption keys used currently on the local server.
  • The object encryption keys on the local server that don't match the server's current DAOS encryption settings.

Use the all option to list, in addition, the tier 2 objects in S3 storage that don't match the server's current DAOS encryption settings. If there are many tier 2 objects, the command may take a long time to complete.

Use the -O <outfile> option to list the DAOS object files that are output in a file rather than at the server console. Specify an explicit file path or a file path relative to the data directory.

convert-O <outfile> -t <hours> -k <nlokey> -V
Re-encrypts local objects on the server that don't match the server's current DAOS object encryption settings to use the configured encryption strength and encryption keys.
Note: Re-encryption of tier 2 objects (objects in S3 storage) isn't supported.

A message indicates if an object cannot be re-encrypted. This can occur if the encryption key is no longer available in the credential store, if the object is in tier 2 storage, or the current encryption information is otherwise unavailable.

Use -t <hours> to run convert for a specified number of hours. If there are many objects requiring re-encryption, use this option to stagger the re-encryption in batches. Without -t there is no time limit.

Use the -k <nlokey> option to re-encrypt a single .nlo file to match the server's current DAOS object encryption settings. Do not specify the .nlo extension.

Use the -O <outfile> option to list the converted .nlo files in a file rather than at the server console. Specify an explicit file path or a file path relative to the data directory.

Use the -V option to enable verbose output that displays the status of each attempted conversion.

Example

Example console output: load daosencmgr list Example console output for the load daosencmgr list command with numbered keys that are explained after
  • 1 DAOS object encryption settings in the Server document.
  • 2 A summary of the encryption methods and keys that were used to encrypt DAOS objects on this server and the number of objects using each unique encryption method and key.
  • 3 DAOS objects with keys that don't match DAOS object encryption settings and can be re-encrypted with convert. Grouped by encryption key identifier.
  • 4 DAOS objects with keys that don't match the DAOS object encryption settings but that cannot be re-encrypted with convert.
Example console output: load daosencmgr list -O danaenc.txt, where DAOS objects are listed in the file danaenc.txt in the data directory. Example console output for the load daosencmgr list outfile command
Example console output for load daosencmgr convert -k <objectkey> -VExample console output for the load daosencmgr convert -k <objectkey>