Help Center

Local Navigation

Extending messaging security using IBM Lotus Notes encryption

By default, if your organization's environment includes BlackBerry® Enterprise Server version 4.1 or later for IBM® Lotus® Domino® and IBM® Lotus Notes® API version 7.0 or later, a BlackBerry device can decrypt messages that are encrypted using Lotus Notes encryption.

In BlackBerry Enterprise Server version 5.0 or later and BlackBerry® Device Software version 5.0 or later, a BlackBerry device user can encrypt messages using Lotus Notes encryption. When the BlackBerry device user creates, forwards, or replies to a message, the BlackBerry device user can indicate whether the BlackBerry Enterprise Server must encrypt the message before it sends the message to the recipients.

To use Lotus Notes encryption on the BlackBerry device, the BlackBerry device user must import a copy of the Lotus Notes .id file into the user's message database using the BlackBerry Desktop Software or Lotus® iNotes®. If your organization's environment includes Lotus Domino version 8.5.1 or later and BlackBerry Enterprise Server version 4.1 or later, the BlackBerry Enterprise Server can automatically synchronize the copy of the Lotus Notes .id file on the BlackBerry device with the latest copy that is in the Lotus Notes ID vault. If your organization's environment includes Lotus Domino version 8.5.1 or later and BlackBerry Enterprise Server version 5.0 SP1 or later, you can configure the BlackBerry Enterprise Server to import the Lotus Notes .id file automatically into the BlackBerry device from the Lotus Notes ID vault.

To require the BlackBerry device user to use Lotus Notes encryption when forwarding or replying to messages, you can configure the Require Notes Native Encryption For Outgoing Messages IT policy rule. To prevent a BlackBerry device user from forwarding or replying to Lotus Notes protected messages, you can configure the Disable Notes Native Encryption Forward And Reply IT policy rule.

Protecting the password for an IBM Lotus Notes .id file

How a BlackBerry device protects the password for an IBM Lotus Notes .id file

After a user imports an IBM® Lotus Notes® .id file and password for the Lotus Notes .id file to a BlackBerry® device, the BlackBerry device encrypts the password in BlackBerry device memory using AES encryption and the device transport key. The BlackBerry device decrypts the password before it calls the required security functions in the Lotus Notes API.

The BlackBerry device deletes the Lotus Notes .id file and plain-text password from the BlackBerry device memory when it receives a notification from the BlackBerry® Enterprise Server that the BlackBerry Enterprise Server cannot decrypt a message, when the BlackBerry device resets, or when the Lotus Notes password expires. (The default expiration period is 24 hours.) You can use the Native Encryption Password Timeout IT policy rule to specify the maximum duration (in minutes) that the BlackBerry device stores the plain-text password for the Lotus Notes .id file.

You can change the timeout value to 0 to require the user to type the password to decrypt each Lotus Notes encrypted email message that the user receives on the BlackBerry device.

When Lotus Notes encryption is not available, the user can turn on Lotus Notes encryption manually by importing the Lotus Notes .id file or by changing the password using the BlackBerry® Desktop Software or IBM® Lotus® Domino® Web Access client.

How the BlackBerry Messaging Agent protects the password for an IBM Lotus Notes .id file

After a user imports an IBM® Lotus Notes® .id file and the password for the Lotus Notes .id file to a BlackBerry® device, the BlackBerry Messaging Agent encrypts the Lotus Notes .id file and password in the BlackBerry Messaging Agent memory cache using AES encryption and the device transport key.

The BlackBerry Messaging Agent deletes the Lotus Notes .id file and the plain-text password when the BlackBerry® Enterprise Server cannot decrypt a message, when the BlackBerry Enterprise Server restarts, or when the password expires. (The default timeout value is 24 hours.)

The BlackBerry Messaging Agent does not delete the encrypted password in the BlackBerry Messaging Agent memory cache. You can change the duration that the BlackBerry Messaging Agent caches the password for. For information about changing the duration that the BlackBerry Messaging Agent caches the password for, visit www.blackberry.com/support to read article KB12420.

If the user types a password incorrectly more than 10 times consecutively within 1 hour, the BlackBerry Messaging Agent makes secure messaging unavailable for 1 hour. This period increases each time that the user exceeds the maximum number of unsuccessful password attempts. The period increases by 10-minute increments to a maximum of 24 hours. When the user types the password correctly, the BlackBerry Messaging Agent restores the default value of 1 hour.

Process flow: Sending an email message using IBM Lotus Notes encryption

This diagram shows the elements that are described in the following process flow.
  1. A user indicates, using the menu in the messages application, that the BlackBerry® device must encrypt the email message.
  2. The BlackBerry device performs the following actions:
    1. prompts the user for the password for the IBM® Lotus Notes® .id file
    2. configures the email message for Lotus Notes encryption
    3. encrypts the email message using BlackBerry transport layer encryption
    4. sends the email message and password to the BlackBerry® Enterprise Server
  3. The BlackBerry Enterprise Server decrypts the email message using BlackBerry transport layer encryption.
  4. The BlackBerry Messaging Agent on the BlackBerry Enterprise Server decrypts the cached password for the Lotus Notes .id file and validates the password that the BlackBerry device sent. If the BlackBerry Messaging Agent can verify the password, the BlackBerry Messaging Agent uses the password to encrypt the message using Lotus Notes encryption.
  5. The BlackBerry Enterprise Server sends the encrypted email message to the messaging server so that the messaging server can deliver it to the recipient.

Process flow: Receiving an IBM Lotus Notes encrypted message

This diagram shows the elements that are described in the following process flow.
  1. A user uses the IBM® Lotus Notes® application on the user’s computer to encrypt a message using the password for the Lotus Notes .id file.
  2. The BlackBerry® Enterprise Server performs the following actions:
    1. retrieves the Lotus Notes encrypted message from the messaging server
    2. encrypts the Lotus Notes encrypted message using BlackBerry transport layer encryption
    3. sends the encrypted message to the BlackBerry device
  3. The BlackBerry device decrypts the message using BlackBerry transport layer encryption and stores the message without decrypting the Lotus Notes encryption.
  4. The user tries to open the Lotus Notes encrypted message on the BlackBerry device.
  5. The BlackBerry Messaging Agent on the BlackBerry Enterprise Server decrypts the cached password for the Lotus Notes .id file and uses the password to decrypt the message. If the BlackBerry Messaging Agent does not have the password, from the menu in the messages application, the user must select More, More All, or Open Attachment to send the decrypted message to the BlackBerry device.
  6. The BlackBerry Enterprise Server deletes the decrypted password from the BlackBerry Messaging Agent memory cache and sends the decrypted message to the BlackBerry device.

Was this information helpful? Send us your comments.