Public encryption keys

hcl-bot · December 15, 2005, 6:27pm

Is there a way in Lotus Script to set the values for Public Encryption Keys in the Document Properties of an e-mail being generated from a non-email Notes database?

For example, send the e-mail to groupmail@company.com and add the values John A. Smith, Bob E. Watson, Joan L. Jones to the Public Encryption Keys in the Document Properties for the e-mail. So that John, Bob, and Joan can go into the group e-mail database logged in with their own IDs and passwords and still read the encrypted e-mails?

John, Bob, and Joan of course would have access to the group e-mail database via the ACL.

hcl-bot · December 16, 2005, 12:09am

Subject: Public encryption keys

Here are a few articles that describe this:http://www.dominopower.com/issues/issue199909/encryption001.html

In the Designer Help: Encrypting documents and fields

Add the field: PublicEncryptionKeys

I haven’t tried this in awhile, but I would think, encryptonsend will encrypt the email being sent into the mail database. In the non-mail database, I had to fill the PublicEncryptionKeys field with the names that could access the document.

Try sending using the encryptonsend, and see what encryption fields appear in the groupmail database. You may have to run an agent when new mail arrive to lift the names from the “sendTo”, etc., and put these into the PublicEncryptionKeys field.

If you do it right, then the document properties should have the PublicEncryptionKeys field and a field called $Sealed

hcl-bot · December 16, 2005, 12:11pm

Subject: RE: Public encryption keys

Thanks for the help. Do you know what the LotusScript might look like to update the PublicEncryptionKeys field? I am not a Notes developer myself, but am responsible for resolving this encryption problem. It would be helpful to have some sample code that I could pass on to the developer.

Thanks.

hcl-bot · December 17, 2005, 7:30pm

Subject: RE: Public encryption keys

David:

Here is complete article with samples of how to approach both private and public encryption keys.

and here is a very useful thread about how to resolve this using script:

http://www-10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b8525689b005ba1c0/cab867c9ea2dd5d785256f2c005c092b?OpenDocument

However, I just spent a little time testing… and perhaps best option is probably to use a secretencryptionkey

(See Designer Help on how to create a Secret Encryption Key)

Then follow the directions on how to automatically encrypt all documents - by added the SECRET KEY Name to the form Encryption field.

If you’re using a mail template for your group mail database, then you would need to spawn a separate template in order to modify the forms that you want to encrypt with your Secret Key.

Here are the problems:

1- a document could already be encrypted before it arrives in the database - so you have to remove that encryption.

2- You will need to run an agent to encrypt documents as they arrive, and specify which forms need to be encrypted.

3- Because the agent that runs on new mail takes up to 5 minutes to run, documents being sent to GROUP MAIL will be accessible to anyone who has rights to the database.

For instance: MaryA sends a document to Group Mail. She has reader rights to the database, but doesn’t have the Secret Encryption Key in her Notes ID. Until the agent runs to set the Secret Encryption Key, the document is visible to her.

So, you would need to consider when the agent needs to run.

Then you need to configure the mail in database with the certified public key, and make sure the agent signer is in the server document and allowed to run restricted tasks.

Here is something I noodled out for the agent… not fully tested!

Sub Initialize

Dim session As New NotesSession

Dim db As NotesDatabase

Set db = session.currentdatabase	

Dim doc As NotesDocument	

Dim item As NotesItem

Dim authorItem As NotesItem

Dim coll As NotesDocumentCollection

Set coll = db.UnprocessedDocuments

If coll.count <1 Then Exit Sub

Dim encryptList As Variant,authorList As Variant

Const item_BODY="Body"	

Const  str_SECRETKEY="ThrowAway"		

Set doc = coll.GetFirstDocument

While Not doc Is Nothing

	With doc

		Select Case Ucase(.form(0))

			'Add names of forms you want to encrypt here.....

		Case "MEMO","REPLY"

			'Check value of encryptList first else don't do the rest						

			Forall i In doc.items 

				If i.isencrypted Then

					i.isencrypted=False 

				End If

			End Forall

			'IBM Tech Note 1089495

               'Must have at least 1 field encrypted in order to call Encrypt method

			Dim temp As New NotesItem(doc,"tempjunk","temp")

			temp.IsEncrypted=True

			.encryptionKeys = str_SECRETKEY

			Call doc.encrypt 

			Call doc.save(True, False)

                'This portion can now remove the fields relative to encrypting the

                'single token encrypted field.				

			Call .removeitem("$Seal")

			Call .removeitem("$SealData")

			Call .removeitem("SecretEncryptionKeys") 

			Call .RemoveItem("PublicEncryptionKeys")

			Call .removeitem("Encrypt")

			Call .removeItem("tempjunk")					

			Call .save(True, False)					

			.encryptionKeys = str_SECRETKEY

			Set item = .getFirstItem(item_BODY)

			If Not item Is Nothing Then

				item.IsEncrypted = True

			End If	

			.Encrypt 				

			.save True, False, True				

		Case Else

			'Do nothing

		End Select

	End With

	Set doc = coll.GetNextDocument(doc)

Wend



Call coll.UpdateAll

Set coll = Nothing

End Sub

Of course, you could always limit who can get into the mail-in database?!

Hope this helps…

Marilyn