Document Encryption
Encryption is the process of scrambling data so that only authorized users can unscramble the data. Domino supports both secret key encryption (in which one key shared among trusted users) and public key encryption (in which a public key is used to encrypt data and a private key can decode data). From early in its history, Notes has supported encryption through its capability to encrypt fields in documents, ensuring that data is secure from prying eyes.
Any field(s) in a Notes document can be encrypted, and after a field has been encrypted, only users who possess the proper key(s) can decrypt the field contents. Users without the proper key(s) see what appears to be a blank field in the document, and any attempts to use the Document Properties box to view the fields is stymied as well.
 | Please note that if multiple keys have been applied to encrypt a form or document, users need only one of the keys to read encrypted information. |
 | Encrypted fields cannot be viewed through a Web browser because the keys needed to decrypt the document are stored in the Notes ID. Remember this information when preparing for the exam. |
Public key encryption is used for email, whereas you can use either public or private key encryption to encrypt documents.
 | A document with one or more encrypted fields is considered encrypted. |
Public Key Encryption
Each Notes user has a unique public key stored in his Notes ID. When public key encryption is used to encrypt a document, user names of those allowed to decrypt the document are stored in a special field called PublicEncryptionKeys. When the document is saved, the users named in the PublicEncryptionKeys field are looked up in the Domino Directory and the public keys in their Person documents are used to encrypt all the fields that are marked for encryption.
Private Key Encryption
Domino Designer supports private key encryption, also known as secret key encryption. This method of encryption requires that users create private keys and then distribute the keys to the appropriate users so that they can decrypt encrypted data. The name of each private key associated with a field is stored in a special field called SecretEncryptionKeys. When the document is saved, the keys named in this field are retrieved from the user's Notes ID, and used to encrypt all the fields marked for encryption.
Encrypting Documents
Domino provides numerous ways to encrypt a document; it's up to you as a developer to select the most appropriate one from the following list:
Form property— You can use the Default Encryption Keys form property (on the Security tab of the properties box) to associate one or more encryption keys with a form, which is then used to encrypt every document created with the form.
Public keys— You can associate one or more names in the Public Encryption keys field on the Security tab in the Document Properties box to encrypt documents by using the public keys of the named users.
Document Properties box— If a form contains fields that can be encrypted, users can use the Document Properties box to encrypt documents using the keys stored in their ID files.
Secret encryption keys— If a user has one or more secret encryption keys stored in her Notes ID, she can use it in conjunction with a SecretEncryptionKeys field to encrypt a document.
 | Public and private encryption keys are stored in your Notes ID, so you should always remember to back up your ID each time a key is added to avoid the risk of being permanently locked out of encrypted documents. |
Encrypting Mail
Domino enables users to encrypt mail messages to ensure their confidentiality. When a user encrypts a mail message, only the body is encrypted; header fields such as the recipients and the subject are not encrypted. Domino can encrypt Notes mail and Internet mail for users who can support S/MIME.
Notes Mail
When a Notes user attempts to encrypt a mail message, Notes uses the recipient's public key, found in either the Domino Directory or the user's Personal Address Book.
Users have three basic options for encrypting Notes mail:
Encrypt all documents in the mail database— Users can encrypt all the mail in their mailbox to ensure its confidentiality.
S/MIME
Domino supports S/MIME so that Internet email can be encrypted. To use S/MIME, the sender of the email must possess the recipient's public key, which is stored as an Internet certificate in the Domino Directory, an LDAP directory, or in the sender's Personal Address Book. Additionally, the sender needs a cross-certificate so that Notes knows the public key can be trusted.