How do i use Field Encryption in the Lotus Notes Client with multiple client versions?

0
votes

We have a central password repository that we use for all non person accounts. They are kept in account documents that have encrypted password fields that correspond with the service type, i.e. Development, Sandbox, Acceptance or Production. We are experiencing some issues with different versions of the Notes Client. For example, if your admins run an agent that encrypts a document, they have to be running the same client version as the Server. This is a problem from time to time as they upgrade servers. Is there a better way of doing this or is there a way to workaround this?

Added 5/2/2012: Our servers are all on 8.5.3 (not upgrade pack 1 yet) and our admins were running 8.5.2 clients. So our problem came in when they tried to run an agent locally that attempted to encrypt one of the documents. It took quite a while to isolate the exact error, as we had to comment out all error handling to finally get Notes to give us the correct error, which was something to the affect of an encryption version error. Anyway, I think we can solve our issues by upgrading the client version our admins are running.

1
lotus-noteslotus-domino
You should probably mention what versions of Notes/Domino you are using.Simon O'Doherty

1 Answers

1
votes

Without seeing the details from the ID files and knowing the versions it's hard to say for sure... But most likely your secret keys were generated with a newer version of Domino and the key length is longer than older versions of Notes/Domino can handle.

Bear in mind that encryption in Notes/Domino has been around for 20 years, when shorter keys were common, considered safe given the cracking capabilities of the day, necessary for reasonable encrypt/decrypt response time on current hardware, and subject to government controls that placed artificial limits on what Lotus could support -- which actually meant that the older versions could not legally ship code that processes the larger keys that Lotus supports today. In general Lotus phases in new longer key lengths by first shipping code in one release to be able to handle those key lengths, and then shipping code in the next release to be able to generate those key lengths. So when creating new keys, you may need to be aware of whether any code that is more than two major releases old will need to use them.