ADMINISTERING

Making DAOS object encryption keys consistent

Use the DAOS Encryption Manager task (daosencmgr) to make all DAOS objects on a server use the same encryption strength and encryption keys.

About this task

Domino 12 introduced shared encryption keys and AES-256 bit support for DAOS object encryption. Use daosencmgr, a Domino task introduced in Domino 12.0.2, to:


For example, use daosencmgr to re-encrypt objects with a shared encryption key so that objects can be used on any server that is configured to use the same shared key. A shared encryption key makes it possible to copy objects from one server to another or to use a single backup for multiple Domino servers.

It's likely that you'll use daosencmgr for a limited time and won't need to run it regularly after keys are converted to match the Server DAOS object encryption settings.

At the server console, run load daosencmgr with the list or convert options:
OptionDescription
list -O <outfile> allLists the following information at the server console:
  • The DAOS encryption settings configured in the Server document.
  • The types of object encryption keys used currently on the local server.
  • The object encryption keys on the local server that don't match the server's current DAOS encryption settings.

Use the all option to list, in addition, the tier 2 objects in S3 storage that don't match the server's current DAOS encryption settings. If there are many tier 2 objects, the command may take a long time to complete.

Use the -O <outfile> option to list the DAOS object files that are output in a file rather than at the server console. Specify an explicit file path or a file path relative to the data directory.

convert-O <outfile> -t <hours> -k <nlokey> -VRe-encrypts local objects on the server that don't match the server's current DAOS object encryption settings to use the configured encryption strength and encryption keys.

Note: Re-encryption of tier 2 objects (objects in S3 storage) isn't supported.

A message indicates if an object cannot be re-encrypted. This can occur if the encryption key is no longer available in the credential store, if the object is in tier 2 storage, or the current encryption information is otherwise unavailable.

Use -t <hours> to run convert for a specified number of hours. If there are many objects requiring re-encryption, use this option to stagger the re-encryption in batches. Without -t there is no time limit.

Use the -k <nlokey> option to re-encrypt a single .nlo file to match the server's current DAOS object encryption settings. Do not specify the .nlo extension.

Use the -O <outfile> option to list the converted .nlo files in a file rather than at the server console. Specify an explicit file path or a file path relative to the data directory.

Use the -V option to enable verbose output that displays the status of each attempted conversion.

Example

Example console output: load daosencmgr list
Example console output for the load daosencmgr list command with numbered keys that are explained after


Example console output: load daosencmgr list -O danaenc.txt, where DAOS objects are listed in the filedanaenc.txt in the data directory.
Example console output for the load daosencmgr list outfile command

Example console output for load daosencmgr convert -k <objectkey> -V
Example console output for the load daosencmgr convert -k <objectkey>