We currently use version 7 of Lotus Notes (mandated use by our parent company) however we will be upgrading to version 8.0.1 or later at some point in the future.
We have a requirement to be able to send high-strength encrypted emails between our four offices, which are connected by a VPN through Cisco firewalls, we have a single central Domino server in our head office.
I understand Lotus Notes versions 8.0.1 and later support high-strength encryption (AES 256-bit).
Can anyone advise me whether the encryption takes place on user’s desktops (e.g. encrpyted by the client) or does the encryption take place at the Domino server? This is of interest since email messages would not be high-strength encrypted as they are transmitted via the internet through our VPN if they are encrypted at the server.
The topic “Mail Encryption” found within the Lotus Administrator Help-Database may provide the information that you seek. The point of where a message actually gets encrypted depends upon whether you’re referring-to inbound/outbound email on either a Lotus Notes client, a Lotus DWA (iNotes) Web User, or a Lotus Domino Server.
When the Notes client sends encrypted mail, those messages are encrypted by the Notes client. When iNotes sends encrypted mail, the channel from the web browser to the iNotes server may be encrypted via SSL, and the message itself is encrypted by the iNotes server.
Starting in 8.0.1, you can determine the encryption algorithms used for a given message by clicking on the “Signature or Encryption” icon near the right side of the bottom bar of the Notes client.
Before enabling AES for Notes document encryption, you’ll need to roll over your end users’ keys to at least 1024 bit RSA and upgrade your clients to at least 8.0.1.
Starting in 8.0.1, you can set a user’s encryption capabilities via a tool in the admin client, and once a user is on 8.0.1 and using at least 1024 bit RSA keys, you can set “Can decrypt documents using FIPS 140-2 approved algorithms”. If all of the recipients for a message have that setting (or are AES document encryption keys), then the message will be encrypted with AES.
Also starting in 8.0.1, you can set the “big red button” via a security policy setting, which will force users with that policy setting to use FIPS 140-2 approved algorithms for all document encryption. This setting is not recommended unless your entire organization is on 8.0.1 or better and everybody has 1024 bit RSA keys or better.