My name is Perry Hiltz. I am a Solutions Architect with Binary Tree. My primary back ground is in Domino Administration and Development and with over 16 years in this field, let explain what I know.
In my role as a Solutions Architect, I typically speak with customers and Partners, and get asked questions about Migrations to Exchange where Lotus Notes may or may not have encrypted email.
While in most production environments, there is not a hoard of these objects the Lotus Notes client allows end users to encrypt messages very simply. For example, the act of sending an email in Lotus Notes makes this simple. Under the delivery options a user can check the Encrypt option to encrypt single emails.
However this can be set via policies and on individual workstations on the Preferences area of the client. When a user opens the Mail/Sending and Receiving area of the Workstation Preferences, the user can turn on Encrypt saved copies of sent messages and Encrypt messages that I send.
In both of these cases when a message is sent to a user, only the intended recipient can open it. This is a security feature of Lotus Notes and Domino that prevents an Administrator using an ID with Elevated Privileges or a Server ID from accessing messages with sensitive content.
With this in mind the question then is how can we migrate emails from Domino that contain these levels of encryption? Well the first point of understanding the process, you need to have a clear understanding of how mail is first encrypted.
In the case of Domino Encryption, the process involves a public/private key architecture. When an individual is planning on sending a message for encryption, the intended recipient(s) are first addressed in the email. Next, when the author of the email sends the message, the message is first encrypted with the public key for each recipient, that is found in the Domino Directory. This message copy bound for that individual is encrypted and routed.
When the intended recipient opens the message, a private key found in the users Lotus Notes ID file unlocks the encryption and displays the message to the individual. For everyone else, this means that the message cannot be read; nor can the encryption be broken; ever!
So this means that if the end user is the only particular person who can read this email.
How can we migrate this then with a migration account? Very simply put, we cannot. The header and subject of the email can still be read but the body of the message is what is encrypted. So there are two ways that this message can be migrated to Exchange. The first is to have end user do this; after all they are the only one who can read it, right? The other option is to have the end user decrypt this email. My experience is that the end user has their own job to do, truly does not care about the migration and the most certainly they do not want to do the job for you.
What I have seen work best, is a communication to the user explaining that we are in the process of migrating. An audit review of the user’s mail has uncovered that there are encrypted emails within their mail and without encryption they cannot be migrated. The user then knows that the migration is underway, and they have messages that may not be migrated over. The user can then either exit the email or a button based in Lotus Notes can then use the end user’s ID File to remove the encryption from the messages. They can now be migrated successfully to Exchange. This is part of the basic functionality of Binary Tree’s CMT For Exchange.
An altrernative method is to use a Notes Database as a vessel to maintain the Notes Encryption. These messages can be added to a small Lotus Notes database with the encryption in place. In this event the user will need to keep a Notes Client with thier current ID. When the message is migrated to Exchange, the encrypted message in the database is migrated as an attachment. The user opens the attachment with thier existing Notes ID and this will decrypte the message in the Notes client.
Without these steps in the process, these messages and their content cannot be migrated. This is Lotus Notes and Domino working as designed.