0

I need to write a Java agent who will be signed with the server.id and will run on the server. This code should be able to encrypt and decrypt a NotesItem with the private and public keys stored in the server id file.

This is about the same, what the DAOS task is doing with the attachments.

Is this possible?

Thanks!

Andy Brunner
  • 133
  • 3
  • 12

2 Answers2

3

The Designer Help article for NotesDocument.Encrypt suggests the answer is yes.
See: https://www.ibm.com/support/knowledgecenter/en/SSVRGU_9.0.1/basic/H_ENCRYPT_METHOD.html

I've never tried it, but going by the above article: If you don't set the EncryptionKeys property on the document, and call Encrypt in code running on the server, it should encrypt items using the server id's public key.

Edit:
I've just noticed you specifically asked about Java. The documentation for the Java method Document.encrypt() is similar enough to the LotusScript documentation that the above should still apply.

Scott Leis
  • 2,810
  • 6
  • 28
  • 42
  • 1
    Note that this method just flags the document for encryption. Once it is flagged, encryption is automatic when you save with the current id file, and decryption is automatic when you open with it. Also note - the fact that you signed the agent with a given id is insufficient. It's the actual current id that counts, so if you sign it with ServerA, but run it on ServerB, it will be ServerB's public/private key pair that is used for encryption/decryption. (The reason being that a signature does not give the agent access to fhe id file conttainging the key pair.) – Richard Schwartz Jan 10 '19 at 13:54
  • Ah, it's starting to come back to me... The documentation for this method is talking about using secret encryption keys, not public/private key pairs - but you can do it. I wrote an article about this many years ago. I can't find a link to its original location on notes.net, but fortunately, it has been copied elsewhere. Here's a link. https://gcc.upb.de/WWW/WI/WI2/wi2_lit.nsf/KPoolThemes/1CF8154EADD355F6C1256B22004BD2C3?OpenDocument My sample app in the article actually lets you toggle between both secret key and public/private key encryption techniques. – Richard Schwartz Jan 10 '19 at 14:04
  • 1
    Also, this thread on the old Notes 6/7 forum provides important information that was uncovered by the late, great Bill Ernest. http://www-10.lotus.com/ldd/nd6forum.nsf/DateAllFlatweb/29c9f3df1a27f27e85256f50002282dc?OpenDocument – Richard Schwartz Jan 10 '19 at 14:10
  • Thank you very much for these answers. I will try to implement these recommendations. – Andy Brunner Jan 11 '19 at 05:32
  • 1
    @RichardSchwartz: That seems like a life saver. Unfortunately, notes forum is offline, too. Waybackmachine holds at least the solution which will be: PublicEncryptionKeys will not be recognized by NotesDocument.encrypt unless you first specify NotesDocument.encryptionKeys = – Tschenser Aug 05 '20 at 15:00
  • Thanks for adding that. I know that there are people out there with replicas of it and the wayback machine is a great resource, too, but it's still a shame that the old forums are offline. On the other hand, one of the big problems with finding info on Notes/Domino these days is that there's so much old info out there that it can be very hard to figure out if it's out-of-date or not. – Richard Schwartz Aug 06 '20 at 18:22
0

Again, thanks to all who helped. The solution is really simple (after you know how it works) ...

Add a Notes item in the form

  • Name "PublicEncryptionKeys"
  • Type "Names"
  • Value ServerName, e.g. "Server/ACME"

All item which needs to be encrypted

  • Type "Password"
  • Set Security Options "Enable encryption for this field"

Then every time, the document is saved in the Notes client, the field(s) are encrypted with the public key of the server.

In the Server add-on, there is nothing to do. Just use getItemValue() which will transparently decrypt the contents of the items.

Andy Brunner
  • 133
  • 3
  • 12
  • Is the key to success here "saved in the Notes Client"? So in other words, saved by a user in front of the screen or would this also work when the document is encrypted through an agent as your initial post was stating. Also, is Type "Password" really mandatory for this to work or is this just "visual sugar" to indicate a password style input field? – Tschenser Aug 05 '20 at 15:09
  • Sorry, but I have not done any further investigations on this topic. I am not even sure that saving the document with an agent would work. But I think that the Domino back-end simply takes the Names-field for a Directory lookup to get the public key and encrypts the field with it. – Andy Brunner Aug 08 '20 at 06:34