V&M Home Page

AVAILABLE for Consultations or Contracting - I hold passports from Canada and The Netherlands. I would be happy to help you - either in person or working remotely.
Email John

Encrypted Mail Choices while migrating from Lotus Notes

In a previous post, I went into a long explanation of how mail encryption functions (view here) which of course is different from database encryption (view here). I've received questions that asked what are the options for dealing with encrypted email. Ideally, the encrypted email would migrate to Office 365/Exchange and still be encrypted. Out of the box, Notes provides RSA certificates which contain a public and private key. The public key is made available in the Domino Directory. If you Google "encrypt email outlook" you will see that the first step is to select a certificate to use. As far as I know there is no software that will keep the email encrypted. I will outline four ways that you could handle encrypted emails and I'll point out the pros and cons of each approach.

Your pre-migration report will identify which mail files contain encrypted emails. Your approach will vary according to your findings.

Technical Information
When an email is flagged as encrypted the sender or server looks up the recipient's public key from the Domino Directory and encrypts the body of the email. In order to decrypt the mail message, we need the private key which is only stored in the user's ID file which is encrypted with the password. To those of you who are waving your hands and saying "what about the ID Vault?", if you understand the ID Vault you really don't need this simple explanation.

Most mail migration software works in the following manner: we create a Migration Workstation (MW) to handle the migration. We install a Notes Client on the MW and use a Notes ID file that has access to all of the mail files.I usually ask my clients to create and ID for this purpose. So MW can read all of the mail files on the Domino mail server. There are differences between how Notes and Exchange handle email/contacts/calendar entries. This is where the mail migration software sits. The software reads the Notes document and massages it to a format that can be understood by Exchange/Office 365. This MW also needs to have Outlook installed in order to write the information to Exchange/Office 365.

Now when we start the migration for a mail file, the Notes ID used by the migration software will read the email/contacts/calendar entries massage them and write them to Exchange/Office 365 UNTIL it hits an encrypted mail message. In order to decrypt the message, we need the private key which resides in the mail user's ID file. The Notes ID file used by the migration software doesn't have the necessary private key. If we don't do anything when the user opens the mail message in Outlook, instead of contents of the body most software places a message that says that the body was encrypted.

1.) Forward the email
If you find out that some emails were not migrated, one choice is to have the user return to their Notes mail and forward the encrypted emails to their Exchange mail files. Since they will be using their Notes ID files which contain the private key, they can decrypt the body field. Since they are forwarding to an Internet address and we don't know the public key to encrypt the mail message in the target. The message goes out as plain text.
Simple to implement
The problem with this approach is that the date is set to the current date and the from field is incorrect. Since the ID can read the mail message and when it forwards the email there is no encryption applied. So when the message arrives in Exchange it is no longer encrypted.
- Users will have difficulty locating the encrypted email since it is not readily apparent by looking at a View.
- They will need a Notes client with a current ID file. The certificates in a Notes ID file expire periodically. If they get a new computer Notes will need to install Notes and copy the ID file from the old computer.
- The target environment has to configured and ready to accept emails - If we are doing pre-staging the target environment might not be available

2.) User receives an email with a button which decrypts the entire mail file
When we run the pre-migration application, we know which users have encrypted emails. We prepare an email that includes a button that removes the encryption. This button must be sent from a Notes client to the users Notes mail file. Outlook doesn't know what to do with the "active element" in the body of the message. Since the user is using their own ID file they can read the body and then save the email without encryption.
- This preserves the date and the from fields, so the email is in its original sequence
- With some migration software, we can report back to the control database that the user has clicked the Decrypt Mail button.
- The email is no longer encrypted in the mail file. This means that the Migration ID file can read it and all other ID files that have Reader access to the mail file.
- The button needs to be sent from a Notes client and executed from a Notes client. If the user's mail is being forwarded to Exchange/Office 365, the button with the decryption code will be removed by Outlook. There are ways for an experienced Notes Administrator can copy the button code to the mail file.

3.) Self-serve option
Some migration software offers a Self Serve option. The end user actually executes the migration and logs in using their Notes ID file and password.
- The mail message in the Notes mail file remains encrypted. It is not encrypted in target mail system.
- The user needs to take the action to migrate the mail.
- the user's computer could be tied up for a long time while their mail file migrates
- The migration manager no longer is controlling the schedule of the migrations. The mail servers could become overloaded

4.) Copy encrypted email to an NSF
Some software will copy the message into to a new NSF and attach the NSF to the mail message.
- the message remains encrypted. Both in the original mail file and in the target mail file.
- The users needs to keep a copy of the Notes client on the computer indefinitely. if the users gets a new computer then Notes needs to be installed on the new computer
- When the certificates in the ID file expire, the ID file will have to be recertified with the certifier ID using the Domino Administrator software.

After completing fifteen mail migrations for a wide variety of companies and a University, I have never run into a great many encrypted documents. My pre-migration report typically reports 10 - 15% of the mail files will have a few encrypted emails.

None of my clients was concerned enough to copy the encrypted emails to an NSF. Neither did any choose to go with the Self- Service approach. Since the emails would eventually end up in Exchange/Office 365 unencrypted they were not concerned that emails were decrypted in Notes as well as Exchange/Office 365.

If you have any questions, email me using the link below.

Author's Background
I am a Notes/Consultant with twenty-seven years of experience (almost exclusively with Lotus Notes / Domino). My experience with Notes began when I worked as a Senior Computer Consultant for Price Waterhouse. In 1993, I went to work for Lotus Development Corporation as a Senior Notes / Domino Instructor. I started teaching Application Development and System Administration with Version 3. Helped to develop the course materials for Version 4.x and Release 5.x When LotusScript, Javascript and Java were added to Notes/Domino I started teaching these programming languages.

In 1995, IBM acquired Lotus. For several years we were left alone and the culture did not change. It was a lot of fun to work for Lotus. In 1999 the handwriting was on the wall and I decided it was time for me to leave. So I established V&M to do Lotus Notes/Domino Application Development, System Administration and Training. I've been at it ever since. The life of the consultant is constantly changing. It has given me the chance to travel across Canada and the United States, Scotland, England, Bermuda, Jamaica, Barbados and Hawaii. No travel to the Far East yet. Anyone?

For the last seven years I have been helping companies move their data from Lotus Notes to the Microsoft platform.

Some thoughts on Notes to Exchange Migrations
Migrating from Lotus Notes to Microsoft - Very easy and very hard
Pre- Migration Report that I use
Encrypted Mail Choices
Export a Notes View to CSV
Mail Migrations Using the Cloud
Mail Migrations - Some Lessons Learned
Speeding Some Migrations
Redirecting Mail Migration Traffic
One post migration story
One Approach to Mail Rules
Remove Encryption Button
Microsoft's "Secret" Mail Migration Tool
NME Migrations from a secondary Domino Directory
How to remove encryption from a Notes database
NME and Secondary Address Book
Multi File Selector for Binary Tree CMTe
Problem Mail Files for NME (Notes Migrator for Exchange)
Using a Staging Server for Notes to Exchange migrations
SmartCloud to Office 365
Notes2SharePoint Part 1
Migrating Private Folders
Different roles in an email migrations
What to do with Profile Docs during a Migration

If you would like to see my resume
Click Here

Email John

Copyright 1999-2019, John Vanderhoff. All rights reserved. This document is NOT in the public domain and remains the property of John Vanderhoff. Distribution or modification of this document without the knowledge, review and express permission of John Vanderhoff is strictly prohibited.