Encrypting all databases on a server with Domino 12.0.2 using DBMT
Daniel Nashed – 9 August 2024 07:12:28
In case your server needs to protect databases on rest, using Domino database encryption would be the easiest way.
But you should keep in mind that database encryption was mainly intended for protecting local databases on a Notes client and encryption always comes with an additional cost/overhead!
You should also keep in mind that encryption on rest without a properly protected server.id with a password would be quite useless.
An attacker could just copy the server.id along with the data and could decrypt all databases.
Encrypting databases locally should stay the special case in case you have special requirements. It is NOT a general recommendation!
But if you have the requirement there is a new DBMT option since Domino 12.0.2 to encrypt databases.
This is a one way option and there is no automated decrypt for obvious reasons.
Checking database encryption
There is no command-line way to check if databases are encrypted.
But you could write a simple script that checks db.IsLocallyEncrypted.
There is no exposed way to get the encryption level.
But I think it should be sufficient to check for encryption, because DBMT takes care of the encryption.
Encrypting a database always requires a compact operation, because it encrypts the database on ODS level.
That's why it is part of DBMT, the recommended command-line tool to compact databases.
DBMT
-encrypt or -e [encryption] Enable the specified encryption on compacted databases, where [encryption] can be one of:
SIMPLE
MEDIUM
STRONG
AES128
AES256
- Comments [3]
1Don 10.08.2024 10:23:17 Encrypting all databases on a server with Domino 12.0.2 using DBMT
We do have this requirement to encrypt in rest. Doesn't everybody with public facing Domino servers essentially?
The problem for is is the password for the server ID-file. How do you automatically start/restart your Domino server after you've added this? And you're right, if you don't do this, why bother?
2Daniel Nashed 11.08.2024 8:28:50 Encrypting all databases on a server with Domino 12.0.2 using DBMT
@Don,
A public facing server should not make a difference. it is more where you host it and if you trust the guys running the OS...
Also some companies have general rules for encrypting all data on rest.
The tricky part is really the server.id Domino on Windows meanwhile supports to encrypt the server.ID password in using the same technology also used on the client (Windows DP-API / NSL).
On Linux there is still no out of the box solution. I wrote a simple credential helper, which could be used to get the password from an external application.
I also wrote a key-vault as a separate Linux application (so far for myself) which would work hand in hand with it.
But the idea is to have s simple call-out to a credential helper application of your choice.
I would love to see a call-out like this in core Domino. For now it is an extension manager.
-- Daniel
3Jonas 13.08.2024 9:20:52 Encrypting all databases on a server with Domino 12.0.2 using DBMT
Hi,
Funny thing that I was just pondering about best practise for using Domino in high security environments just minutes before reading your post.
From my experience everything can be compromised by the bad guys if you have an internet connection to you company and a network card in your Domino server, regardless if Domino is exposed to internet or not. I was thinking about how to best secure Domino when a breach happens that gives the bad guys access to the file system and your post clarified that there is no easy to use solution in a Linux environment.
For this reason I would really like for HCL to take this seriously and come up with a solution for managing passwords on server.id in a secure and easy to use way, preferably unified across OS's like with Certificate Store. Domino have great security at database level and beyond, and if we could get the same level on server.id I think this would be just great and bring Domino even further ahead of the competition.
Just my two cents.
/J