Parameter:
DAOS_ENCRYPT_NLOShort description: Enables/disables encryption of DAOS NLO files (Notes Large Objects). Before Domino 12 this was the primary control setting; from Domino 12 it was replaced by the 'DAOS object encryption' field in the Server document, but the notes.ini value is still honored.
Profile
Parameter | DAOS_ENCRYPT_NLO |
Category | DAOS (NLO encryption) |
Available since | At least 9.0.1 (HCL documentation 9.0.1 – 14.5.1 as legacy setting; replaced by GUI from Domino 12, but still honored) |
GUI equivalent | Server document → tab DAOS → field DAOS object encryption (from Domino 12) |
Possible values | 0 (encryption off, not recommended) or 1 (encryption on) |
Default | Encryption active (corresponds to the DAOS encryption value configured in the Server document) |
Description
According to HCL product documentation (14.5.1, Disabling attachment object encryption):
By default, the attachment files (.NLO files) created and stored by DAOS are encrypted. While not recommended, you can disable the encryption. … This option is equivalent to the notes.ini setting DAOS_ENCRYPT_NLO=0 that was used prior to Domino 12. If you used DAOS_ENCRYPT_NLO=0, although not recommended, it is honored in Domino 12.
DAOS_ENCRYPT_NLO controls whether the attachment files (.NLO) externalized by the Domino Attachment Object Service (DAOS) are stored encrypted on disk. Before Domino 12 this was the primary control setting; from Domino 12 it was replaced by the field DAOS object encryption in the Server document (tab DAOS).- Server document value None ≡
DAOS_ENCRYPT_NLO=0
- Server document value Strong (default) ≡ NLO encryption active
If the notes.ini value is set to
0 in Domino 12 or newer, this is still valid per the HCL documentation and is honored — but the GUI configuration is the preferred path.Example configuration
Explicitly disable encryption (not recommended):
DAOS_ENCRYPT_NLO=0
Explicitly enable encryption:
DAOS_ENCRYPT_NLO=1
Notes & pitfalls
- HCL explicitly recommends keeping encryption enabled (stronger security for offloaded attachment data).
- From Domino 12 onward, use the GUI path: Server document → DAOS → DAOS object encryption.
- When switching from
0to enabled encryption (or vice versa), existing NLO files must be re-encrypted — this happens automatically on the next DAOS resync / push, but can be I/O-intensive.
- For DAOS tier 2 (e.g. MinIO/AWS S3) the DAOS encryption settings apply analogously — objects are re-encrypted on push if necessary.
Sources (HCL Product Documentation)
- HCL Domino 14.5.1 – Disabling attachment object encryption: help.hcl-software.com/domino/14.5.1/admin/admn_disablingattachmentfilencryption.html
- HCL Domino 11.0.1 – Disabling attachment object encryption: help.hcl-software.com/domino/11.0.1/admin/admn_disablingattachmentfilencryption.html
- HCL Domino 9.0.1 – Disabling attachment object encryption: help.hcl-software.com/domino/9.0.1/admin/admin/admn_disablingattachmentfilencryption.html