conpal LAN Crypt for macOS

• What is conpal LAN Crypt for macOS?
  • Data protection with conpal LAN Crypt for macOS
  • Differences between conpal LAN Crypt for Windows und conpal LAN Crypt for macOS
• Encryption
  • Transparent Encryption
    • Access to encrypted data
    • Explicit decryption of files
    • Files and folders excluded from encryption
  • Transparent encryption and file-compression tools
• Configuration
  • Create configuration file
    • Mandatory settings in the configuration file
    • Optional settings
    • Reload configuration file
  • Certificates
  • Loading the policy file
    • conpal LAN Crypt default behavior
    • Load updated policy file manually
  • Logon to conpal LAN Crypt
    • Logon with token
  • Client Status-Information
  • Encryption for cloud storage services
    • Configuration for Microsoft OneDrive
    • Configuration for Google Drive
    • Linking multiple cloud storage accounts
    • Usage
  • Enable Quick Action extension
• Installation
  • Installing conpal LAN Crypt for macOS
  • Uninstalling conpal LAN Crypt for macOS
• Using “Icutil”
  • Print version information of conpal LAN Crypt for macOS
  • Collect logs
• Technical support
• Legal notice

What is conpal LAN Crypt for macOS?

With transparent file encryption, conpal LAN Crypt enables the exchange of confidential data within authorization groups in small, medium, and large organizations. conpal LAN Crypt works without user interaction. It supports the role of a security officer (SO), who can restrict the access rights to files encrypted with conpal LAN Crypt. A master security officer (MSO) has the right to manage conpal LAN Crypt or to delegate authorizations. In this way, a hierarchy of security officers can be set up that can meet the security requirements in any company.

Encrypted files do not need to be assigned to individual users. Any user who has the required key can work with an encrypted file. This allows administrators to create logical user groups that can share access and work with encrypted files. This process can be compared to a kind of key ring as used in daily life. conpal LAN Crypt equips users and user groups with a key ring, whose individual keys can be used for different folders or files. Each time a user moves a file to an encrypted folder, the file is encrypted on that user’s computer. If another user in the same privilege group reads the file from the folder, it is transferred in encrypted form. The file is only decrypted on the recipient’s computer. The user can edit it there. Before the file is transferred back to the encrypted folder, it is encrypted again.

Unauthorized users may be able to access these encrypted files (only from workstations without conpal LAN Crypt), but without the corresponding conpal LAN Crypt authorization they will only see their encrypted content. This way the file always remains protected, even if no access protection is defined in the file system itself, the network is attacked, or the employees do not follow the security guidelines of the organization.

Data protection with conpal LAN Crypt for macOS

conpal LAN Crypt guarantees that sensitive files can be stored encrypted on file servers and workstations. Likewise, the transmission in networks (LAN or WAN) is protected, as the encryption and decryption are carried out in the main memory of the user’s workstation. On the workstations, all encryptions and decryptions are transparent and largely without user interaction. No special security software needs to be installed on the file server itself.

A security officer can define access authorizations for specific folders and files. Those permissions are summarized in encryption profiles which are stored in a so-called policy file, along with the encryption keys that have been assigned to a user. The policy file is encrypted with a user-specific key and signed by the security officer to protect against malicious modifications. On the endpoint, legitimate users can use decode the encryption profiles along with the assigned keys. Once loaded into the system, they have full access to data encrypted with conpal LAN Crypt.

conpal LAN Crypt enables users to be divided into different authorization groups. All conpal LAN Crypt users sharing the same encryption profile in their policy file are members of an authorization group. Encryption keys necessary for accessing encrypted files are assigned automatically. Policy files must be deployed to the client for any updates to take effect. As soon as the policy file has been deployed to the client, files can be transparently encrypted or decrypted as soon as they are opened or closed. All forms of organization can be mapped from a LAN model in which users are administered centrally to a distributed model in which users only use notebooks.

Differences between conpal LAN Crypt for Windows und conpal LAN Crypt for macOS

Configuration file substitutes group policy

All settings are made via the config.plist file, which must be created after installation (see Configuration).

A configuration file is necessary because the macOS client itself cannot use Windows group policies. The configuration file contains all necessary settings for the client, such as paths to policy files, certificates, and the user’s key file.

Encryption algorithms supported by conpal LAN Crypt for macOS

conpal LAN Crypt for macOS supports the following encryption algorithms:

• AES-256 Bit (XTS-Modus)
• AES-256 Bit (CBC-Modus)
• AES-128 Bit (XTS-Modus)
• AES-128 Bit (CBC-Modus)

Note

• Please note in this context that conpal LAN Crypt for Windows also supports other encryption algorithms (such as “IDEA” or “3DES”, etc.). conpal LAN Crypt for macOS accepts policies containing rules with unsupported encryption algorithms. But due to the lack of support, it simply drops such rules.

In case the (master) security officer has activated the “Key Wrapping” option (default setting), security officer data and user profile data are encrypted with a randomly generated session key using the selected algorithm (default: AES). This key is then in turn RSA-encrypted with the public key from the certificate.

conpal LAN Crypt for macOS supports the following encryption algorithms for Key Wrapping:

• AES-256 Bit
• 3DES

Note

• When using security tokens or smart cards, make sure the hardware and/or the middleware software supports the selected algorithm.

Encryption

Transparent Encryption

For the user, transparent encryption means that all data stored in encrypted form (in encrypted folders or drives) is automatically decrypted in main memory as soon as it is opened by an application (such as Office). When the file is saved, it is automatically re-encrypted. Transparent encryption covers all file operations. Because all processes run in the background, users don’t notice when they work with encrypted files.

Encryption does not depend on folders, but only on encryption rules. The encryption works as follows:

• All files for which an encryption rule exists for, are automatically encrypted.

• When files are moved or copied to an encrypted folder, they are encrypted according to the encryption rule defined for that folder. The Security Officer can define several encryption rules for different file types or file names located in the same folder via the conpal LAN Crypt Administration. For example, you can encrypt Word files with a different rule than Excel files, even though both files are in the same folder.

• When encrypted files are renamed, they remain encrypted. If a different encryption rule is active on the destination folder, the file is encrypted with the key specified in that rule. However, a rename operation will never result in a decryption of the file.

• If a file is copied to another folder within the same SMB share or to another SMB share that does not have an encryption rule, it is automatically decrypted. If files are moved within the same SMB share, they remain encrypted. This also applies to folders for which an “Exclude” or “Ignore” rule exists.

Access to encrypted data

To be able to read or write encrypted files, a user always needs the key required for this purpose. All keys and encryption rules are assigned to users by the Security Officer via their policy file.

If the user has the required key with which files are encrypted, he can always open them. This is especially true even if there is no encryption rule in the profile policy for an SMB share and for the directories and files there.

Note

• However, if an SMB share has an “Ignore rule”, a user will not be able to open encrypted files contained there, even if the user has the required key.

If a network share is covered by an encryption rule, quick access to the mounted folder is available in the conpal LAN Crypt for macOS menu bar item.

Explicit decryption of files

To decrypt a file, you only need to copy or move it to a folder without encryption rules. The file is then automatically decrypted.

Prerequisites:

• A corresponding encryption profile is loaded

• The user has the required key

• The active encryption profile does not contain an encryption rule for the new location.

Files and folders excluded from encryption

The following files and folders are automatically excluded from encryption, even if an encryption rule has been defined for them:

• Files on all local drives.

• Files in folders which are defined in conpal LAN Crypt with an “exclude” or “ignore” rule.

Transparent encryption and file-compression tools

File-compression tools open files, read their content, and compress it. If transparent encryption / decryption is enabled, these tools receive plaintext content. It is therefore vital for data protection to ensure that the resulting archive is stored in a folder covered by an encryption rule.

Configuration

Create configuration file

All settings for conpal LAN Crypt for macOS are made via the configuration file config.plist, which must be created after installation. A template is supplied and installed in the directory:

/Library/conpal/LAN Crypt/useragent.app/Contents/Resources/config.plist.template

After editing the template, copy it to the location below:

~/Library/Application Support/de.conpal.lancrypt/config.plist

Mandatory settings in the configuration file

PolicyPath: Mount point to the policy file

In the <string> section, enter the path to the mounted network share where the users’ policy files (.xml.bz2) are stored.

Example:

<key>PolicyPath<key>
<string>/Volumes/lancrypt/Profile</string>

SOCertLocation: Mount point to the security officer’s public certificate

In the <string> section, enter the network share where the security officer’s public certificates (.cer) are stored.

Example:

<key>SOCertLocation</key>
<string>/Volumes/lancrypt/certificates</string>

Optional settings

You can also configure optional settings in the configuration file. These settings are important if, for example, the user login name on macOS differs from the user’s name in the conpal LAN Crypt Administration.

UserName: Login name of the user

If the directory username and the local username do not match, UserName must be set to the name of the user in the conpal LAN Crypt Administration. Only if the login name and the policy file name are identical, the user can properly work with conpal LAN Crypt for macOS.

CertificatePath: Mount point to the key file (.p12) of the user

After specifying the mount point for the key file (.p12) of the user, conpal LAN Crypt for macOS automatically tries to import a .p12 key file into the user’s keyring if the private key of the policy file is not available.

This file must be named after the respective user-login:

[LOGIN_NAME].p12

Note

• If users are to be logged in with a security token or smart card, the whole (<key>CertificatePath</key>) entry must be omitted.

AutoMountAllNetworkShares: Auto-mount all network shares

Rules are typically bound to the UNC path of a server, either via IP address or DNS name. If it is not desirable to have such absolute rules, the Security Officer can also use relative rules that match parts of the UNC path. While this approach works on Microsoft Windows because it can browse UNC paths like any other (local) folder on the file system, macOS requires that a shared folder is mounted before it is accessible. When a shared folder is mounted by a user with only relative rules in their policy, conpal LAN Crypt for macOS would ignore it because it does not match any rule in the policy. In such scenarios, you can set the AutoMountAllNetworkShares parameter to “true” to enable transparent encryption and decryption regardless of the policy. If configured, all UNC paths are ignored by conpal LAN Crypt for macOS. Relative rules work as expected.

Example:

<key>AutoMountAllNetworkShares</key>
<false/>

DisableCertificateValidation: Disable Certificate Validation

You can specify whether any errors found when checking user certificates are to be ignored.

Example:

<key>DisableCertificateValidation</key>
<true/>

This setting is useful if the validity period of a certificate has expired, and no new certificate is available yet. To ensure that a user can continue to access their encryption profile, the option allows to disable checking of the certificate’s validity period. Once the new certificates are available, this setting can be disabled again by changing the parameter for this setting to false.

Note

• Alternatively, trust settings can also be configured in Keychain Access. However, ignoring errors that occur during certificate checks always means a reduction in security.

AgentEnvironment: List of environment variables

When using a policy with keywords that should resolve to a specific value, an administrator can do so by specifying them in AgentEnvironment.

Example:

<key>AgentEnvironment</key>
<dict>
<key>%Username2%</key>
<string>steve</string>
<key>%directory1%</key>
<string>finances</string>
<key>%directory2%</key>
<string>management</string>
</dict>

PolicyUpdateInterval: Policy Update-Interval

Time interval between checks for new policies (minutes). If a new policy is available, it will be automatically loaded and applied.

Example:

<key>PolicyUpdateInterval<key>
<integer>240</integer>

Reload configuration file

Changes to the configuration file require a restart of conpal LAN Crypt for macOS to take effect. To do so, open a terminal and execute below command or perform a logout and login.

launchctl unload /Library/LaunchAgents/de.conpal.lancrypt.useragent.plist && launchctl load /Library/LaunchAgents/de.conpal.lancrypt.useragent.plist

Certificates

Before users can access their encryption profile, the corresponding certificate must be available on the Mac. The security officer distributes these certificates to the users along with the corresponding password or PIN to access them. A path where the conpal LAN Crypt Administration stores the user certificates as well as the public certificate (.cer) of the Security Officer must be configured. From this path, users then import their PKCS#12 key file (their certificate) onto their computer. If the certificates are available at the first logon, the entire process up to PIN entry runs automatically without any user interaction.

Note

• If the login to conpal LAN Crypt fails, errors will be logged to the system log. To filter for LAN Crypt, set the subsystem to de.conpal.lancrypt. Also enable the “Include Info Messages” and “Include Debug Messages” options in Console. Alternatively, you can also view this information live in Terminal using the following command: log stream --level debug --predicate 'subsystem == "de.conpal.lancrypt"

The certificate is checked every time the encryption profile is loaded. If a valid certificate is found, the user is logged on to conpal LAN Crypt. If no valid certificate is found, the user is not able to work with encrypted data.

Encryption rules with their assigned keys from the conpal LAN Crypt encryption profiles give users access to encrypted data. These rules define exactly which files in particular directories have to be encrypted by each key. A user’s encryption profile only needs to be loaded and encryption and decryption takes place in the background (transparently).

Note

• In order for conpal LAN Crypt for macOS to import the certificates automatically, it is important that the file names of the certificates exported from the Admin Console are not changed.

Loading the policy file

conpal LAN Crypt default behavior

When a user logs in, their cached user profile is loaded first. conpal LAN Crypt for macOS automatically checks for new policy files for the user if the configured policy path is accessible. If a new policy file is found, the cached policy will be updated.

The user can start working with encrypted files while conpal LAN Crypt continually checks for new versions of the policy. If the specified policy location is not accessible, the cached profile is used.

Note

• conpal LAN Crypt verifies the certificates of the user and the public certificate (.cer) from the (Master) Security Officer, who created the policy file. If the certificate contains a “CRL Distribution Point” and no valid CRL is present on the system, conpal LAN Crypt for macOS initially does not trust this certificate. In the user’s Keychain, the user can change the trust setting and then assign the setting “Always Trust” for this certificate.

Load updated policy file manually

To manually reload the policy, open the client information UI and click Reload Policy in the About tab’s tools menu.

Logon to conpal LAN Crypt

conpal LAN Crypt encryption profiles are created by a security officer, in accordance with the company’s security policy, and then stored in policy files. An encryption profile can only be loaded if the user owns the corresponding certificate.

The policy files are stored in a path defined for this purpose (network share). For conpal LAN Crypt for macOS to find the policy file, the location must be defined in the configuration file. This also applies to the path where the public certificate of the security officer can be found.

When a user logs in to conpal LAN Crypt, the encryption profile stored in the policy file is loaded by conpal LAN Crypt for macOS. If the user holds the proper key, the profile is decrypted end the encryption rules are applied.

Logon with token

Users can also log on to conpal LAN Crypt for macOS using a token. A prerequisite for this logon method is that the user’s conpal LAN Crypt user certificate is stored on the token. If the user certifi-cate is found on a token connected to the system, the user is logged on.

Note

• If users are to be logged in with a security token or smart card, you may not enter a mount point to the user’s key file (.p12) in the configuration file.

Client Status-Information

conpal LAN Crypt for macOS provides detailed information about its state. Available information is divided into individual tabs as follows:

Status

Shows general information about the program status. In addition to information about the active user, the lifetime and update interval of the loaded policy are also displayed.

Rules

This tab lists all active encryption rules.

Keys

This tab list all keys available to the user.

About

This tab shows information about the program version. The instruction manual can also be opened on this page.

Encryption for cloud storage services

Configuration for Microsoft OneDrive

conpal LAN Crypt for macOS provides support for encryption in Microsoft OneDrive. This feature can only be enabled on Macs with Apple Silicon, or on Intel Macs with a T2 security chip running macOS 12 or later. FileVault must be enabled on all other computers. This ensures that files are protected after they are downloaded from the cloud to the Mac.

Users can add their OneDrive account from the Accounts tab in the Information dialog of conpal LAN Crypt for macOS. Once the account has been successfully added, a new entry called “conpal LAN Crypt” will appear in the Finder under Locations, giving the user access to their personal drive, including any folders associated with it.

When you first log in, OneDrive may ask you to give conpal LAN Crypt for macOS permission to access your OneDrive. Permission is required for the product to function properly.

Configuration for Google Drive

conpal LAN Crypt for macOS also provides support for encryption in Google Drive. Google Workspace accounts as well as personal Google accounts are supported.

Users can add their Google account on the Accounts tab in the information dialog of conpal LAN Crypt for macOS. After an authorization and authentication dialog (OAuth), the account is successfully linked. A new entry named “conpal LAN Crypt” appears under Locations in the Finder, giving users access to their personal drive including all folders associated with it.

Linking multiple cloud storage accounts

If more than one cloud storage account is linked with conpal LAN Crypt for macOS, the associated naming of the entries in the Finder is extended with the respective account information (cloud storage service and e-mail address used) for a better overview.

Usage

When browsing the respective folder structure in the Finder, the system creates dataless files for each item found on the user’s drive. These dataless files do not occupy space on the device and are downloaded only when the user actively opens a file or uses Download Now in the context menu. Downloaded files and modified files that have been successfully synced back to OneDrive/Google Drive can also be removed from the device to free up storage space. This action is also available in the context menu.

To share a file or folder with others, the Show Online option in the context menu takes the user to the file or folder in the online view of the respective cloud storage service using the default browser. The user can now use the familiar Share functionality here, for example.

Note

• There is no keyword for OneDrive or Google Drive in the conpal LAN Crypt administration. Only relative rules are supported.

• Files that are subject to an encryption rule are encrypted when their content is uploaded to the cloud.

• When the content of encrypted files is downloaded, it is decrypted if the corresponding encryption key is available.

• Every file in OneDrive/Google Drive has a version history. Uploading an encrypted version of a file does not remove its history. It is therefore possible to restore an unencrypted version.

• The supported cloud storage services and conpal LAN Crypt for macOS can work in parallel without any problems. conpal LAN Crypt for macOS can be used as a replacement for the clients of OneDrive and Google Drive.

• Encryption functions are only available when folders are accessed via the conpal LAN Crypt location.

Enable Quick Action extension

conpal LAN Crypt for macOS comes with a Quick Action extension for quickly viewing file-specific encryption information. For this to work, however, you must first enable the extension within the System Preferences.

To do this, simply follow these steps:

1. Open the System Preferences.

2. Now click on Extensions.

3. Now select the Finder tab on the left and activate the Quick Action extension Encryption Information.

To view the encryption information of a file, you can now right-click on it and access it via Quick Actions. If files are not subject to any rule and the key is available, they can also be decrypted directly via the encryption information dialog.

Installation

Installing conpal LAN Crypt for macOS

conpal LAN Crypt for macOS supports the following versions of macOS:

• macOS 13 Ventura
• macOS 12 Monterey
• macOS 11 Big Sur
• macOS 10.15 Catalina

macOS 10.13 High Sierra introduced a new security feature that requires users to manually approve the loading of kernel extensions. Since conpal LAN Crypt for macOS includes such an extension to provide its transparent encryption and decryption functionality, administrators may need to take additional steps depending on the environment.

The operating system provides its own tool for managing kernel extensions. In the current version, this tool is known as kmutil and allows you to check the status of kernel extensions (kmutil showloaded). More information on the topic can be found on Apple’s website: Installing a Custom Kernel Extension

Unmanaged Macs

A dialog pops up after the installation of conpal LAN Crypt for macOS informing the user to open System Preferences and click the Allow button on the General tab in the Security & Privacy pane. This button is only visible for 30 minutes after installation. After the system has rebooted, conpal LAN Crypt for macOS is functional.

Managed Macs

For MDM-managed Macs, administrators can configure policies to whitelist the team identifier used to code sign the conpal LAN Crypt for macOS kernel extension. Refer to the mobile device management documentation how to configure such policies. For conpal LAN Crypt for macOS team identifier NXV97CU3K4 must be whitelisted.

Uninstalling conpal LAN Crypt for macOS

Open Uninstaller.pkg from the path below and proceed through the dialogs.

/Library/conpal/LAN Crypt/Uninstaller.pkg

Note

• After uninstalling conpal LAN Crypt for macOS, encrypted files can no longer be decrypted. Uninstalling conpal LAN Crypt for macOS does not decrypt files.

Using “Icutil”

In addition to the program components, a console application ‘lcutil’ is installed. This tool can be useful when solving technical problems. It is installed in the following directory:

/Library/conpal/LAN Crypt/useragent.app/Contents/Resources

This provides users advanced functions of conpal LAN Crypt for macOS, which are described below.

Print version information of conpal LAN Crypt for macOS

To print the version information of conpal LAN Crypt for macOS, the user must open the terminal and execute the following command:

/Library/conpal/LAN\ Crypt/useragent.app/Contents/Resources/lcutil version

Collect logs

You can export all conpal LAN Crypt for macOS logs to a file (.xz). Certain events can be recorded, evaluated, archived, and checked at any time in this way.

To export all conpal LAN Crypt for macOS logs in a file, the user must open the terminal and executing the following command:

/Library/conpal/LAN\ Crypt/useragent.app/Contents/Resources/lcutil collect-logs

The following events are collected in the log file:

• System log
• mount table
• process table
• version information
• system profiler
• cached policies and
• config.plist
• information about configured cloud provider accounts (macOS 12 and above)

Technical support

To access technical support for conpal products do the following:

All maintenance contract customers can access further information and/or knowledge base items at the following link support.conpal.de. As a maintenance contract customer, send an email to technical support using the support@conpal.de email address and let us know the exact version number, operating system and patch level of your conpal software and, if applicable, a detailed description of any error messages you receive or applicable knowledge base items.

Legal notice

Copyright © 2018 - 2023 conpal GmbH, 1996 - 2018 Sophos Limited and Sophos Group. All rights reserved. conpal®, AccessOn® and AuthomaticOn® are registered trademarks of conpal GmbH.

All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid license where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

You find copyright information on third party suppliers in the 3rd Party Software document in your product directory.

Last updated 01.02.2023