How are roaming id-files encrypted?

The customer would like to move the user id-files into the personal name and address book to automatically have the id-files roam with the users. Technote 1102575 (“What information replicates to the roamed Notes Client from the roaming server?”) states the following:

1. User ID
- The user ID is stored (as a file attachment) in the Roaming User's Personal Address Book if the user's organization allows its replication, and if the Domino Administrator selected the option for replicating it. The user ID is doubly encrypted for added security before being attached.


- Because the user ID replicates, the roaming user will no longer need to copy it to different computers when modifying it (for example, by changing the password). However, until replication occurs, a change such as a new password may not take effect immediately. If this happens, try typing the previous user password.

I paid special notice to the sentence:

The user ID is doubly encrypted for added security before being attached.

This sentence raises the question of which keys are used for this encryption? It cannot be the id-file itself since it would render the id-file undecryptable. If cannot be the server id-file since it would make the id-file undecryptable if the user roams to another server. If it is some adhoc keys how does the user know how to decrypt the id-file at the next logon?

Does anyone know?

Looking at the names.nsf using NotesPeak reveals a profile document called “roaminguserid” with a file attachment ($FILE item). The item looks signed but there is distinguishable clear text.

It statement in the technote could of cause be erroneous (it wouldn’t be the first time)… Sounds like IBM Support is about to get a call.