AD RMS Cryptographic Mode 2 and Exchange 2010 Information Rights Management
Published Apr 09 2012 09:00 AM 8,086 Views

In Exchange 2010, we built the Active Directory Rights Management Services (AD RMS) integration functionality introduced in Exchange 2007 into a suite of information protection features known as Information Rights Management (IRM). IRM requires that you have an AD RMS server deployed in your on-premises organization. See Understanding Information Rights Management for more details, including functionality offered by the different IRM features and requirements for each. You can also use IRM features in your Exchange Online organization or a hybrid deployment.

When you install AD RMS, it’s in Cryptographic Mode 1. Cryptographic Mode 1 supports 1024-bit encryption keys for RSA encryption and 160-bit keys for SHA-1 hashing algorithm. To learn more about encryption in AD RMS, see RMS Encryption and Keys.

Late last year the Windows Server team released a significant update to AD RMS that supports a new mode of encryption known as Cryptographic Mode 2. Mode 2 supports stronger encryption by allowing you to use 2048-bit keys for RSA and 256-bit keys for SHA-1. Additionally, Mode 2 enables you to use the SHA-2 hashing algorithm. For more information about cryptographic modes in AD RMS, see Active Directory Rights Management Services Cryptographic Modes.

Cryptographic Mode 2 fulfills cryptography requirements of United States federal government agencies, as recommended by the National Institute of Standards and Technology (NIST). See NIST publication SP 800-57 for details. Many other government and private organizations across the world also follow NIST recommendations. In Windows Server "8" Beta, Cryptographic Mode 2 is the default AD RMS cryptography mode.

Enabling Cryptographic Mode 2 on clients and servers is a one-way upgrade. There is no supported method for reverting to the previous cryptographic mode once the higher level is enabled.

Exchange 2010 IRM features are not compatible with Cryptographic Mode 2 at this time. Switching to this mode may result in loss of IRM functionality. If Exchange 2010’s IRM features are critical for your organization, we recommend that you not switch your AD RMS clusters to Cryptographic Mode 2.

IMPORTANT: Cryptographic Mode 2 support is not planned for Exchange Online. Exchange Online customers using on-premises AD RMS servers for IRM should not enable Cryptographic Mode 2.

We’re working on an update for Exchange 2010 that’ll enable the use of Cryptographic Mode 2 on AD RMS.

Bharat Suneja

Update 2/20/2013: Exchange 2010 IRM support for Crypographic Mode 2 has been added in Exchange 2010 SP3.

Subscribe to the EHLO RSS feed and follow us on Twitter to get the latest announcements on Exchange software updates.

Version history
Last update:
‎Jul 01 2019 04:06 PM
Updated by: