IBM Support

ID Vault user cannot access data encrypted with secret key that was deleted and reimported

Technote (troubleshooting)


Problem

For vaulted IDs, when secret keys are deleted from the user ID and then imported again, ID Vault removes the secret key and it no longer exists in the vaulted ID. The user can no longer access information encrypted with that secret key.

Cause

ID Vault contains code to merge ID file changes from multiple copies of a specific user ID into the vaulted ID. If a secret key has been deleted then the ID Vault assumes that this secret key should be removed for all future use thus removes the secret key from the ID, regardless of attempts to re-import the secret key.

Resolving the problem

This issue is tracked as SPR NEKO7GBL3U and is under consideration for upcoming major feature releases. The Notes ID Vault is designed to support the following use case:


    A Domino administrator wishes to remove the ability for a user to see data in a Notes application that was encrypted by a specific secret key and so deletes that key from the user's ID. In this case the administrator does not wish the user to be able to restore the key to his or her ID file. ID Vault currently supports this use case. (However, note that a skilled user can save a copy of the secret key in a separate file from the ID file.)

However, workarounds exist for other use cases:

    1. User accidentally deletes a secret key from his/her ID file. Workaround: Domino administrator removes the ID from the ID Vault. Then the user imports the secret key back into the ID file. That ID file will be uploaded to the ID Vault again and will contain the re-imported key. However, if there are other copies of the ID file that sync with the vault which contain the key deletion stub, those IDs will cause the key to be deleted again. So you must be sure to re-import the key to all copies OR delete local copies of the ID file and allow the correct edition to download from ID Vault.

    Please note: If an ID file is deleted from the ID vault it can take up to eight hours or longer for the user's local ID to be uploaded again to the vault. This is due to a deletion stub being present for the user's ID file. During this time the following error may appear on the server console

    ID for 'CN=Test User /OU=Sales /O=Acme' could not be authenticated in vault 'O=AcmeVault' on server 'CN=ACMEADMINSERVER/O=ACME'.
    'Test User /OU=Sales /O=Acme' made request. Error: Document has been deleted on remote server"

    2. A Domino administrator wishes to temporarily remove the ability for a user to see data in a Notes application that was encrypted by a specific secret key and then restore access to the data in the application later. In this case the Access Control List of the application should be changed to prevent the user from being able to open the application and see the data. This use case is not intended to be supported by secret keys. Access Control Lists are more appropriate for use in this case. One workaround is to re-encrypt the document with a new secret encryption key. Another option is to encrypt the document using public keys instead. \

Document information

More support for: IBM Domino
ID Recovery / ID Vault

Software version: 8.5, 9.0

Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1611902

Modified date: 07 March 2014


Translate this page: