Create_AES_Databases – enable AES encryption for new NSFs

🛠️

Parameter: Create_AES_Databases

Short description: Controls that newly created NSFs are automatically created with AES encryption (AES-128 or AES-256) instead of RC4.

Profile

Parameter	`Create_AES_Databases`
Category	Security / TLS
Component	Server, Client
Available since	10.0
Supported versions	10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1
GUI equivalent	notes.ini only (no GUI)
Possible values	0 = off (default), 1 = AES-128, 2 = AES-256

Description

With Create_AES_Databases=2, Domino creates new NSFs with AES-256 encryption instead of the old RC4 (value 1 = AES-128). This applies to both local encryption and locally/server-side generated mail files. Mandatory setting for compliance environments.

Existing NSFs are not migrated automatically; a compact -e with the new standards is required for that.

Example configuration


Create_AES_Databases=2

Notes & pitfalls

AES-256 requires Notes/Domino ≥ 10 – clients < 10 cannot open the NSF.

Encrypted NSFs can no longer be read or copied with operating system tools (which is the point!).

Complements an ID Vault for emergency recovery of ID files.

For mass migration: set up tooling via load compact -e -t -B.

The change takes effect after a server restart and only affects newly created NSFs.