DAOS_NLO_ENCRYPTION_METHOD – Legacy Encryption (HCL Domino)

Profile

Parameter	`DAOS_NLO_ENCRYPTION_METHOD`
Component	Domino server (DAOS subsystem)
Available since	Domino 12.0
Values	`0` = force legacy ("Domino classic") encryption, not set = default from Domino 12 (AES-128, optionally AES-256 or shared key)
GUI equivalent	None — `notes.ini` only (Server document field "DAOS object encryption" controls the strategy in addition)

Description

DAOS externalizes attachments / Notes Large Objects as .nlo files outside the NSF. These NLOs are encrypted by default (see DAOS_ENCRYPT_NLO). What changed with Domino 12: From version 12 onward, DAOS uses AES-128 by default (optionally AES-256, optionally a shared key from the Credential Store for cross-cluster decryption). Before 11.0.1, DAOS only knew the classic Domino encryption with the server ID.

The problem in mixed operation / rollback: An NLO written by a Domino 12 server in AES-128 cannot be decrypted by a pre-11.0.1 server. This prevents a clean rollback after an upgrade.

The solution: Anyone who wants to keep the option of a rollback to pre-11.0.1 when upgrading to Domino 12 should set the following in notes.ini before the upgrade:


DAOS_NLO_ENCRYPTION_METHOD=0

This forces Domino 12 (and later) to continue using the old ("Domino classic") encryption for DAOS NLOs, provided the Server document field DAOS object encryption = Private to this server is set. Without this parameter, Domino 12 would automatically switch to AES-128.

Example configuration

Before upgrading to Domino 12 (keep rollback plan open):


DAOS_NLO_ENCRYPTION_METHOD=0

After a successful upgrade and giving up rollback (switch to modern encryption): remove the parameter again or comment it out, and convert existing NLOs to the desired method via daosencmgr convert if needed.

Notes & pitfalls

Set before the upgrade: Anyone who only adds the parameter after the upgrade may already have AES-128 NLOs on disk. These must be converted back via daosencmgr convert, otherwise they remain unreadable for pre-11.0.1 servers.

Mind the Server document field: The parameter takes effect in conjunction with the Server document field DAOS object encryption. If it is set to Private to this server, DAOS_NLO_ENCRYPTION_METHOD=0 explicitly switches the DAOS encryption strength to Domino classic. With Shared key, the setting does not apply — the shared key algorithm applies there.

Tooling: load daosencmgr list shows the encryption algorithms currently used for all NLOs on the server. load daosencmgr convert (from 12.0.2) converts existing NLOs to the configured method.

Server restart required to activate the parameter.

Related parameters: DAOS_ENCRYPT_NLO (master switch NLO encryption on/off), DAOS_RESYNC_VALIDATE_NLO_FILES (validation on resync).

Compliance note: Anyone working without rollback obligation should not set the parameter — modern AES-128/AES-256 encryption is superior to the classic procedure in every respect.

Sources

HCL Domino 12.0.2 Administrator Documentation — Improved DAOS object encryption

HCL Domino 14.0 Administrator Documentation — Making DAOS object encryption keys consistent

HCL Domino 9.0.1 Administrator Documentation — Encrypting consolidated attachments