We all know what a dangerous place the internet is. All kinds of wretched scum and villainy just waiting to steal your personal details, trade secrets and various high value pieces of data. Not to mention Country, State and local regulations like HIPPA, SOX, J-SOX, etc. You (and more importantly your users) need to be real careful when hitting send to an internet bound address. What you need is email encryption, right?
Darren, S-MIME sucks. Really you want me to install a certificate in my personal address book for every recipient I wish to send email to? You *think* the recipient even has a S-MIME certificate to send me?

All valid points. And here is where the email encryption woes set it. Using "classic" email encryption is hap-hazard at best. Yes, you can enable TLS for SMTP but you rely on both ends of the connection being set up right......but S-MIME, well, it is just plain difficult to use, manage and maintain.

So what other options are there? Well back in April IBM Lotus released Lotus Protector for Mail Encyption (or LPME from now on). Basically this software appliance takes the frustration, management and general PITA stuff out of the email encryption process.

How? Well any email requiring encryption and/or digitally signed is handled in a way transparent to the both end users that are involved in the transaction. Yes, I kid you not. It does this in one of two ways:

1.        Ad-hoc encryption - the sender decides that this email needs to be encrypted and/or signed
2.        Policy based encryption - the server administrator dictates via policies what, and how to encrypt and/or sign based on customizable rules

Ad-hoc uses a (separately available client) installed on a Lotus Notes workstation. This "client" allows the Notes user to simply use the "Sign" and "Encrypt" checkboxes inside the Lotus Notes email client:

Image:Secure, internet email - made easy - meet Lotus Protector for Mail Encryption
Simply check either of these boxes and the internet bound message is magically secured and will eventually find it's way to the recipient in a secure fashion....more on that in a moment. This is exactly how Notes encryption works. So no training of your users. (Note, this feature is an extra license and is not included with the LPME authorized user license).

Policy based rules can force a message to be encrypted based on a wide variety of rules. From subjects, to text, to text patterns, to recipients, to domains. You name it, there is probably a configurable rule for it:

Image:Secure, internet email - made easy - meet Lotus Protector for Mail Encryption

So how does this magic appliance work? Well, it is kind of genius. Basically LPME is an enhanced version of the a PGP Universal Email Gateway server. What this means is that IBM Lotus didn't have to create the infrastructure to allow for public key encryption. They simply bought (or OEM'd) the PGP infrastructure.

To put this into layman's terms, one of the issues with internet email encryption is the creation and distribution of public keys. With Domino, we are spoiled. NRPC does this all for us. Once you hit SMTP that is a whole different matter. In essence LPME will look up a recipients public key on the internet (using the nomenclature keys.recipient-domain-name) or a "store and forward" mechanism can be used, or the LPME server can create a key for the recipient or it can be sent as a encrypted PDF (wow, see, that's what they mean by LPME intelligent encryption ) . Thus circumventing the majority of issues surrounding email encryption when sending to internet addresses.

Another really impressive thing about LPME is the way it is licensed. Any internet recipient is license free. Gratis. So you only need to license your internal users. And it gets better. The recipient has the option of receiving secured email in the manner that bests fits them. The options include:
  • Store and forward (aka Web Messenger) - here the email is stored on the LPME server and a HTTPS link sent to the recipient. The recipient then logs into the LPME server to view the message. A bit like a bank would do.
  • As a secure PDF attachment, encrypted with the recipient pass phrase.
  • Via a PGP encrypted email that can be decrypted with any other PGP compatible server  or the PGP Universal Satellite client (more on that in a moment).
  • Via S-MIME encrypted email.
  • Regular email - although certain messages could still be sent via any of the above if deemed necessary.

Here are the options from an actual LPME server:
Image:Secure, internet email - made easy - meet Lotus Protector for Mail Encryption
OK, but what if I don't have a PGP compatible gateway to decrypt the message? Simple. The PGP Universal Satellite client is a small executable the recipient can download from the LPME server and install on their PC or Mac. This client integrates with the following common email clients:
  • Lotus Notes 6.5.6, 7.0.3, 8.02, 8.5
  • Microsoft Outlook 2007 SP1 (Outlook 12)
  • Microsoft Outlook 2003 SP3
  • Microsoft Outlook XP SP3
  • Microsoft Windows Mail 6.0.600.16386
  • Microsoft Outlook Express 6 SP1
  • Windows Live Mail version 2009
  • Mozilla Thunderbird 2.0
  • Novell GroupWise 6.5.1
And get this, this is free for the recipient to download. There is no license fee at all for external, internet based recipients. Once they, the recipient, download the PGP Satellite client the LPME server creates a PGP key for the user. Upon installation of the client on the recipient PC or Mac the private key is securely downloaded to the PC or Mac, thus providing seemless end to end encryption of internet based email. Additionally, when the recipient sends email back to you, the LPME policies dictate that the message be encrypted or otherwise......just like outbound. Read that last sentence again.....Satellite downloads the policies from the LPME server and will enforce encryption and/or signing of inbound email to your domain. How fricken cool is that! And that piece is free to you and free to them!

OK, so this is great what does it look like? Well when I send an outbound external recipient a secure email this is what they see if they were using the free PGP Satellite client (example is an Outlook Express user running against an internet IMAP or POP3 server, in this case a bluebottle.com account):

Image:Secure, internet email - made easy - meet Lotus Protector for Mail Encryption

As you can see above, the message clearly signifies it was both signed and encrypted during transit therefore delivering the message body securely to the intended recipient.

Similarly a Lotus Notes user, sitting behind a LPME server or using the PGP Satellite client would see pretty much the same thing (here you can see the bottom blue section that was cut off in the OE screen shot as well):

Image:Secure, internet email - made easy - meet Lotus Protector for Mail Encryption
Again, the message has been signed and encrypted and sent via the internet (via an IMAP server no less) and received and decrypted by the receiving LMPE server. Impressive stuff indeed.

Another notable feature of LPME (aside from making SMTP email encryption easy) is that it can be installed either as physical appliance running on Intel servers, or as a VMware ESX/ESXi installation.

Like the other member of the Lotus Protector family, Lotus Protector for Mail Security (LPMS), it is licensed per authorized user, so you are free to cluster as many LMPE (and LPMS) servers as you wish. You can have the same 100% up-time you have with Domino servers with your edge encryption servers and/or (when using LPMS) your edge spam and AV gateway.

Oh, and LMPE also has an archive feature where you can route copies of emails to an "archive" server based on policy rules. Encryption doesn't mean lack of compliance. You can spy audit emails just as effectively as if they were never encrypted.

Disclaimer - I am a design partner in the Lotus Protector products, so I like them. There's a reason I like them.....they're impressive.

Contact info@simplified-tech.com if you need further information, a demonstration or to purchase. What are you waiting for, this is the simplest way to secure your internet bound email and comply to regulations, both internal and/or external. Don't wait for that lawsuit.....
Darren Duke   |   June 9 2010 06:48:00 AM   |    lotus protector    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (5)

Gravatar Image
1 - Sharon Albright       06/10/2010 8:12:55 AM

Thank you for the wonderful explanation. I've sent this info to my bosses

Gravatar Image
2 - Steven Vaughan    http://www.dominopeople.ie    02/09/2011 9:26:26 AM

Hi Darren,

Many thanks for the article. lots of good info there. Does this solution work with iNotes per chance ?

Gravatar Image
3 - Darren Duke    http://blog.darrenduke.net    02/26/2011 7:43:20 PM

Yes and no....why are these answers never easy ;)

Anyway, if you run the LPME server in gateway mode (i.e., everything routes through LPME and the policy dictates the encsyption) then YES!

If you want add-hoc there is no magic button in iNotes, but you could do subject appending or prepending (i.e. "[secure] Hello world!") and have LPME pick up the word [secure] from the subject line.


Gravatar Image
4 - Blonde       02/28/2011 7:01:38 AM

Hi Darren, we spoke together after your session on LS 11 (on lunch). My husband has broke leg...

May I ask how one thing?

How I can create Locations and Connections via policies? I mine on LN client.

Can I do it on server for all users?

Thanks for you help!

Gravatar Image
5 - Brenda    http://www.pascosheriff.com/webapps/index.pgm    05/26/2011 6:36:01 AM

Can't seem to figure out how to import certs from GoDaddy after getting them. Here is the info from John who is trying it:

The certificate file that I downloaded from my provider does not load into LPME.

Here is the error:

! Invalid PKCS12 Certificate File

The file you uploaded, 'secure.pascosheriff.org.crt', is not a PKCS12 certificate file. The file must end in '.p12' or '.pfx'..

This is not an option from my certificate provider.

It appears I could try to convert the file with an openssl command...

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

... but I am not sure what to use for the privateKey.key and CACert.crt. Where do I find these in LPME?

Thoughts .. suggestions .. help (anyone?)