V&M Home Page

AVAILABLE for Consultations or Contracting - I hold passports from Canada and The Netherlands. I would be happy to help you - either in person or working remotely.
Email John

Notes Mail Encryption - Explained

As I work on email migrations, it seems to me that some consultants are not comfortable with the mechanism that Notes Mail uses to encrypt emails. They were crossing their fingers and hoping there is no encrypted data. I will try to explain how it works.

Lotus Notes certificates use the RSA algorithm. Certificates are used for Authentication and Encryption. When servers and users are initially registered, an ID file is created. The ID file contains the name and two RSA key pairs. The first pair are unique to the person/server being registered and the second pair are common to the organization. We refer to these as certificates. Optionally there may RSA key pairs for all of the OUs that the server/user belongs to. The ID file is encrypted using the password. The public parts of the key pairs are stored in the Domino Directory.

Now when a user wants to access a server, he must have the ID file and he must know the password. Name and password are not enough. He decrypts the ID file by supplying the password. When he requests access to the server, He sends the server the names of the certificates that he holds. His personal certificate and the organization's certificate. The server compares the certificates and notes that we have the organization certificate in common. The server generates a random number which the server encrypts using the organization's public key and sends it to the user. The user the private key to decrypt the random number and send it back in the clear to the server. The process is then reversed, so that trust occurs in two directions.

Mail Encryption
Now when a user sends an email may choose to encrypt an email in a couple of ways. First under User Security the end user can set a number of preferences:

I worked on an email migration for a Police Department where that had everything encrypted. Fixing it was a little extra work, but entirely doable.

Secondly, while sending an email and displaying Additional Mail Options

Our user can easily encrypt.

When we send the email, we take the recipient's public key from the Domino Directory and encrypt the body of the email. The servers along the route can read the "send to" information but not the body of the message. When it is delivered to the recipient, he has already opened his ID file and when he opens the message, he decrypts it using his private key.

The sender's copy of the mail message is encrypted using his public key and it is stored in the mail file on the server. When the sender opens his message the body is decrypted using his private key. If you watch the status bar, it will state "decrypting document".

The problem is that even though the specially created Notes ID that can access the entire mail and is used to migrate the mail, calendar and contacts. This ID file does not have the private key in order to decrypt the body field.

Your pre-migration report will identify which mail files contain encrypted emails. Your approach will vary according your findings.

If you find out that some emails were not migrated, one choice is to have the user return to their Notes mail and forward the encrypted emails to their Exchange mail files. Since they will be using their Notes ID files which contain the private key, they can decrypt the body field. The problem with this approach is that the date is set to the current date and the from field is incorrect.

The method I have used successfully, uses a specialy created view that only displays the encrypted emails. We provide a button that removes the encryption. The user needs to navigate to that custom view. If there are encrypted emails, then they will click the button. Since they are using their own ID file they can read the body and then save the email without encryption. This preserves the date and the from fields.

Notes Application Developers have the option to encrypt some fields in their applications. These encrypted fields will not affect a email migration. They will affect a migration of Notes data to a product like SharePoint. I will NOT attempt to explain field encryption in this article.

Author's Background
I am a Notes/Consultant with twenty-seven years of experience (almost exclusively with Lotus Notes / Domino). My experience with Notes began when I worked as a Senior Computer Consultant for Price Waterhouse. In 1993, I went to work for Lotus Development Corporation as a Senior Notes / Domino Instructor. I started teaching Application Development and System Administration with Version 3. Helped to develop the course materials for Version 4.x and Release 5.x When LotusScript, Javascript and Java were added to Notes/Domino I started teaching these programming languages.

In 1995, IBM acquired Lotus. For several years we were left alone and the culture did not change. It was a lot of fun to work for Lotus. In 1999 the handwriting was on the wall and I decided it was time for me to leave. So I established V&M to do Lotus Notes/Domino Application Development, System Administration and Training. I've been at it ever since. The life of the consultant is constantly changing. It has given me the chance to travel across Canada and the United States, Scotland, England, Bermuda, Jamaica, Barbados and Hawaii. No travel to the Far East yet. Anyone?

For the last seven years I have been helping companies move their data from Lotus Notes to the Microsoft platform.

Some thoughts on Notes to Exchange Migrations
Migrating from Lotus Notes to Microsoft - Very easy and very hard
Pre- Migration Report that I use
Encrypted Mail Choices
Export a Notes View to CSV
Mail Migrations Using the Cloud
Mail Migrations - Some Lessons Learned
Speeding Some Migrations
Redirecting Mail Migration Traffic
One post migration story
One Approach to Mail Rules
Remove Encryption Button
Microsoft's "Secret" Mail Migration Tool
NME Migrations from a secondary Domino Directory
How to remove encryption from a Notes database
NME and Secondary Address Book
Multi File Selector for Binary Tree CMTe
Problem Mail Files for NME (Notes Migrator for Exchange)
Using a Staging Server for Notes to Exchange migrations
SmartCloud to Office 365
Notes2SharePoint Part 1
Migrating Private Folders
Different roles in an email migrations
What to do with Profile Docs during a Migration

If you would like to see my resume
Click Here

Email John

Copyright 1999-2017, John Vanderhoff. All rights reserved. This document is NOT in the public domain and remains the property of John Vanderhoff. Distribution or modification of this document without the knowledge, review and express permission of John Vanderhoff is strictly prohibited.