Migrating Encrypted Lotus Notes Mail to Microsoft Exchange

My name is Perry Hiltz.  I am a Solutions Architect with Binary Tree and I have over 16 years of experience with Lotus Notes and Domino, with quite a few of those years focused on migrating and consolidating Domino environments.
Lotus Notes to Microsoft Exchange Delivery OptionsWhen I speak with customers and partners about Domino migrations to Exchange, I frequently get asked questions about how to migrate Lotus Notes users who have encrypted email.  
While in most production environments, there is not a hoard of these objects, the Lotus Notes client does allow end users to encrypt messages very simply.  For example, the act of sending an email in Lotus Notes makes this simple.  Under the delivery options, a user can check the Encrypt option to encrypt single emails.  However, this can be set via policies and on individual workstations on the Preferences area of the client.  When a user opens the Mail/Sending and Receiving area of the Workstation Preferences, the user can turn on Encrypt saved copies of sent messages and Encrypt messages that I send.
In both of these cases, when a message is sent to a user, only the intended recipient can open it.  This is a security feature of Lotus Notes and Domino that prevents an Administrator using an ID with elevated privileges or a Server ID from accessing messages with sensitive content.  
With this in mind, the question then is how can we migrate emails from Domino that contain these levels of encryption?  
Well, the first step to understanding how to migrate encrypted emails is to make sure you have a clear understanding of how mail is first encrypted.  Microsoft Encrypted Lotus Notes to Microsoft Exchange Delivery Options
In the case of Domino encryption, the process involves a public/private key architecture.  When an individual is planning on sending a message for encryption, the intended recipient(s) are first addressed in the email.  Next, when the author of the email sends the message, the message is encrypted with the public key for each recipient that is found in the Domino Directory.  This message bound for that individual is encrypted and routed. 
When the intended recipient opens the message, a private key found in the user’s Lotus Notes ID file, one that corresponds to the public key in the Domino directory, unlocks the encryption and displays the message to the individual.  For everyone else, this means that the message cannot be read; nor can the encryption be broken; ever!  The intended recipient is the only particular person who can read the encrypted email.  
So, how can we migrate encrypted mail with a migration account?  Very simply put, we can’t.  The header and subject of the email can still be read but the body of the message is encrypted.  
There are two ways to overcome this so that the encrypted messages can be migrated to Exchange.  The first is to have the end user do the migration; after all they are the only one who can read it, right?  The other option is to have the end user decrypt their encrypted emails prior to being migrated.  My experience is that the end user has their own job to do, truly does not care about the migration, and the most certainly they do not want to do the job for you.  
What I have seen work best, is a communication to the user.  The communication explains that their organization is in the process of migrating and that an audit review of the user’s mail has uncovered that they have encrypted emails.  They are informed that unless the encrypted emails are decrypted, the encrypted messages cannot be migrated.  The user then knows that the migration is underway, and that they have messages that may not be migrated over.  And if the communication was originated by Binary Tree’s CMT for Exchange software, a Lotus Notes button would be embedded into the email that, when clicked on by the user, would then automatically use the end user’s ID File to decrypt all of that user’s encrypted messages.  If the organization is not using our software, the user may well have to decrypt their emails manually one-by-one prior to being migrated.  Only after decrypting all of their encrypted messages can they be successfully migrated to Exchange.
Without this step in the process, these messages and their content cannot be migrated.  This is Lotus Notes and Domino working as designed.