In yesterday's post about AES NSF local encryption, I quipped that you should be able to locally encrypt a replica with AES 128, but that you'd have to do it manually.  Well, you can't. I probably should have tested this theory like HCL should have tested this feature.

Here's what happens:


Go to an existing database on a server and enable AES 128 encryption (yes, the option is there):


Image:Changing NSF encryption on a server to AES? No, you’re not.

Compact said database:


Image:Changing NSF encryption on a server to AES? No, you’re not.

Take another peak at the encryption settings:


Image:Changing NSF encryption on a server to AES? No, you’re not.

"Strong"? WTF? No matter what I do I can't get an existing on server database to encrypt with the new AES setting.

At first I thought this was a Domino version issue. Nope. Servers are 11.0.1. Then I thought maybe an OS difference, after all one of my main servers is Windows, the other CentOS. Nope. Same behavior on both.

Hum. Next up some notes.ini settings can change these settings (see
Ben's post here), but none of those are present on the server.

Lastly was an idea that maybe a local desktop policy was interfering but I could find no evidence of that after several tries (and as mentioned yesterday, the desktop policy settings document is not showing AES as an option and this should only be for local anyway, not server).

So my conclusion for now is that you can only encrypt NEW DATABASES with AES 128 on a Domino server
(or it could be AES and reporting wrong, but new NSFs that are encrypted don't exhibit that behavior, so I very much doubt it is that).
Darren Duke   |   April 14 2020 06:28:32 AM   |    domino  security    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (0)

No Comments Found