User guide
Extending messaging security using IBM
Notes encryption
By default, if your organization's environment includes IBM Notes API version 7.0 or later and either BlackBerry Enterprise
Server
version 4.1 or later for IBM Domino or the BlackBerry Enterprise Server Express for IBM Domino 5.0 SP2 or later, a
BlackBerry device can decrypt messages that are encrypted using Notes encryption.
If your organization's environment includes BlackBerry Enterprise Server version 5.0 or later or BlackBerry Enterprise
Server Express version 5.0 SP2 or later, a user with BlackBerry Device Software version 5.0 or later, can encrypt messages
using
Notes encryption. When the user creates, forwards, or replies to a message, the user can indicate whether the
BlackBerry Enterprise Server or BlackBerry Enterprise Server Express must encrypt the message before it sends the
message to the recipients.
To use Notes encryption on the device, the device user must import a copy of the Notes .id file into the user's message
database using the BlackBerry Desktop Software or iNotes. If your organization's environment includes Domino version
8.5.1 or later and either BlackBerry Enterprise Server version 5.0 SP1 or later or BlackBerry Enterprise Server Express 5.0
SP2 or later, you can configure the
BlackBerry Enterprise Server or BlackBerry Enterprise Server Express to import the
Notes .id file automatically into the user's message database from the Notes ID vault.
To require the user to use Notes encryption when forwarding or replying to messages, you can configure the Require Notes
Native Encryption For Outgoing Messages IT policy rule. To prevent a user from forwarding or replying to Notes protected
messages, you can configure the Disable Notes Native Encryption Forward And Reply IT policy rule.
Protecting the password for an IBM Notes .id file
How a device protects the password for an IBM Notes .id file
After a user imports an IBM Notes .id file and password for the Notes .id file to the user's message database, the device
encrypts the password in device memory using AES encryption and the device transport key. The device decrypts the
password before it calls the required security functions in the
Notes API.
The device deletes the plain-text password from the device memory when it receives a notification from the BlackBerry
Enterprise Server that the BlackBerry Enterprise Server cannot decrypt a message, when the device resets, or when the
Notes password expires. (The default expiration period is 24 hours.) You can use the Native Encryption Password Timeout
IT policy rule to specify the maximum duration (in minutes) that the device stores the plain-text password for the Notes .id
file.
You can change the timeout value to 0 to require the user to type the password to decrypt each Notes encrypted email
message that the user receives on the device.
When Notes encryption is not available, the user can turn on Notes encryption manually by importing the Notes .id file or by
changing the password using the
BlackBerry Desktop Software or IBM Domino Web Access client.
Security Technical Overview Extending messaging security to a device
124