Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Encrypting all databases on a server with Domino 12.0.2 using DBMT

Daniel Nashed – 9 August 2024 07:12:28

In case your server needs to protect databases on rest, using Domino database encryption would be the easiest way.

But you should keep in mind that database encryption was mainly intended for protecting local databases on a Notes client and encryption always comes with an additional cost/overhead!


You should also keep in mind that encryption on rest without a properly protected server.id with a password would be quite useless.

An attacker could just copy the server.id along with the data and could decrypt all databases.


Encrypting databases locally should stay the special case in case you have special requirements. It is NOT a general recommendation!

But if you have the requirement there is a new DBMT option since Domino 12.0.2 to encrypt databases.

This is a one way option and there is no automated decrypt for obvious reasons.


Checking database encryption


There is no command-line way to check if databases are encrypted.

But you could write a simple script that checks db.IsLocallyEncrypted.

There is no exposed way to get the encryption level.
But I think it should be sufficient to check for encryption, because DBMT takes care of the encryption.


Encrypting a database always requires a compact operation, because it encrypts the database on ODS level.

That's why it is part of DBMT, the recommended command-line tool to compact databases.



DBMT

-encrypt or -e [encryption] Enable the specified encryption on compacted databases, where [encryption] can be one of:

SIMPLE

MEDIUM

STRONG

AES128

AES256

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]