The Encrypt Documents agent will run every time a document is saved or modified. For each document, it moves the contents of the PEK field into a new PublicEncryptionKeys field and then encrypts the document.

Unfortunately, the agent will not run immediately when the document is saved. It can easily be five to ten minutes before the agent is triggered. You probably don't want the data sitting unencrypted and vulnerable for that length of time. That's where the PEKReaders field comes in.

When the document is saved, PEKReaders contains the value "LocalDomainServers". Only those servers will be able to see the document. It will be completely invisible to everyone else. The agent can see the document since the agent runs on the server. After it encrypts the fields, it removes PEKReaders so that everyone can see the document. At that time, only authorized individuals will be able to see the encrypted fields.

Of course, you'll need to make sure that the server where you want to run the agent is really a member of the LocalDomainServers group. In most cases it is, but check first.

Mission accomplished. As you can see from this workaround, Lotus didn't give much thought to encrypting saved documents with public keys in R4. The new functionality is a welcome addition. Happy encrypting.

Contributing Editor Tom Lowery is President of Portage Associates, Inc., a Notes/Domino consulting firm. He is an R5 Principal Application Developer and R5 Principal System Administrator. His hobbies include playing with his son Duncan and flying. Tom can be reached at tom@lowery.net.