conpal LAN Crypt Client-API

 


Overview

The API described in this document is used to access conpal File Encryption Client functionality through an API. A new type of rules – so called encryption tags – can be used that allows external applications to control encryption. Encryption tags map a tag to a special key and allow triggering the encryption of files with certain keys via the API.

The API allows two ways to access encryption conpal File encryption functionality:

  • A command line tool, see section 3.4 - Command line tool

  • A COM and plain C++ interface, see section 3 - Detailed Function Reference

Following figure shows the main parts of the API:

../img/img1.png

The API can only be used with an installed CP File Filter. The API requires a profile to be loaded and the API has access to the keys in the loaded profile.

The API provides several functions that control the File Encryption. The command line tool can be used without any Authentication and provides a limited set of functions than the COM / C++ API.

Authentication is based on Microsoft Authenticode:

  • The access to the COM/C++ API can be restricted to specific applications that are Authenticode signed.

  • Furthermore, the access to the COM/C++ API can be restricted to Authenticode signed applications that are Authenticode signed with a specific certificate.

Functionality overview

Following table lists the available functionality for the command line tool as well as the COM / C++ API.

Functionality Command Line Tool (Parameter) COM / C++ API (Function)
Allow to retrieve status information via the API status GetStatus
Retrieve encryption rules rules GetProfile
Allow to retrieve the encryption status of a file encstatus GetEncryptionStatus
Encrypt or re-encrypt a file encrypt EncryptFile
Refresh encryption policies refresh RefreshPolicy
Decrypt a file Not Possible DecryptFile
Secure delete of a file Not Possible DeleteFile
Temporarily set an encryption rule Not Possible SetTemporaryRule
Turn on/off encryption Not Possible ActivateEncrpytion
Allow access to API only to trusted apps Not Possible Yes

In addition to Windows, conpal LAN Crypt also supports macOS as well as Android and iOS for mobile devices.

General configuration of the API

Following general configuration of the SGNFE API can be done via the CP LAN Crypt Administration:

  • The SGFE API must be generally enabled.

  • The use of the command line tool on the client can be enabled / disabled via a central setting.

  • The priority of the different rule types can be defined (e.g. Encryption tags have precedence for all other rules)

  • Allowed Applications can be defined that define the applications that are allowed to access the API.

  • Trusted Vendors can be defined that restrict the access to the API to applications from specific vendors (via certificates).

For further details, please see the conpal LAN Crypt Administrator Help.

Encryption tags

For the encryption function EncryptFile respectively the encrypt parameter of the command line Encryption tags can be used. These encryption tags are a new type of File Encryption rules that map a tag to a key. Encryption tags can be defined similar to encryption rules in the Admin and get transferred to the client via the profile.

Example:

Following encryption tag is defined in the administration and available on the client:
TAG: Confidential, Key: <KEY-X-GUIDY>
Following call of the command line:
SGFEAPI encrypt /Tag:CONFIDENTIAL c:\encrypt.doc
Will result in encrypting the file c:\encrypt.doc with the KEY-X-GUID.

API changes

Changes in conpal 4.1.0

API version 4.1.0 is part of conpal LAN Crypt Client 4.1.0.

New API functions:

  • ClearProfile

Changes in Sophos 8.00.0

API version 8.00.0 is part of LAN Crypt Client 3.95.

No changes were done.

Changes in Sophos 6.06.0

All described changes are based on LAN Crypt Client API 3.71.

The API is based on the former conpal LAN Crypt Client API but has now changed its name to conpal File Encryption API and the name of the classes, so existing applications must be changed to use the new classes:

Old Name (conpal LAN Crypt < 3.90) New Name (conpal LAN Crypt >= 3.97)
SGLCCLIENTAPI.SGLCClientApi SGFECLIENTAPI.SGFEClientApi
CSGLCClientApi CSGFEClientApi
CSGLCCoreClientApi CSGFECoreClientApi
  • The API can now also be accessed from a 64-bit process. If the API is installed on a 64-bit operating system, the API is available in 32-bit and 64-bit.

  • The client API must now explicitly enabled in the conpal LAN Crypt Administration, otherwise all functions except GetStatus will fail with the error code LCCAPIERR_PROCESS_NOT_ALLOWED.

  • The applications which are using the client API must now be configured in the conpal LAN Crypt Administration. This is also the case for vb-scripts. To execute vbs-files, cscript.exe and / or wscript.exe has to be allowed to use the client API.

Changed API functions:

GetProfile now returns also the key GUID and encryption tag information. IEncRule and ENCRULE were extended with these data fields.

New API functions:

  • DecryptFile

  • DeleteFile

  • EncryptFile

  • GetEncryptionStatus - GetStatus

  • RefreshPolicy

  • SetTemporaryRule

New error codes

  • LCCAPIERR_PROCESS_NOT_ALLOWED - LCCAPIERR_FILE_IO_ERROR

  • LCCAPIERR_RULE_CONFLICT

  • LCCAPIERR_KEY_NOT_AVAILABLE

  • LCCAPIERR_INVALID_TAG

Command line tool for selected API functions


Detailed Function Reference

General

The COM API is implemented in the class CSGFEClientApi, the C++ API is implemented in the class CSGFECoreClientApi. Both classes are exported from SGFEClientAPI.DLL. The methods of the classes are described in the following chapters. The API is part of the conpal LAN Crypt Client. The client API must be installed and enabled in the conpal LAN Crypt Administration. All applications which are using the client API must be configured in the conpal LAN Crypt Administration.

Note

  • All functions return LCCAPIERR_OK if successful or an error code if an error occurred.

All parameters are required – that means that all parameters have to be provided and all parameters must contain valid values.

Error codes are defined as follows:

Code Description Name
0 The Function succeeded normally. LCCAPIERR_OK
1 General Failure. This indicates an error in the provided data as well as an internal error. LCCAPIERR_GENERAL_ERROR
2 The Argument passed is of an invalid type. This happens in conjunction with [in/out] parameters passed to. LCCAPIERR_INVALID_ARGUMENT
3 The function cannot be executed, because no encryption rules are loaded. LCCAPIERR_NO_PROFILE_LOADED
4 The current process is not allowed to use the API function. To enable the process, configure the client API in the conpal LAN Crypt Administration. LCCAPIERR_PROCESS_NOT_ALLOWED
5 The specified file does not exist or cannot be accessed. LCCAPIERR_FILE_NOT_FOUND
6 The file cannot be encrypted or decrypted, because it would result in a conflict with an existing encryption rule. LCCAPIERR_RULE_CONFLICT
7 The encryption key is not available or does not exist. LCCAPIERR_KEY_NOT_AVAILABLE
8 The specified encryption tag does not exist. LCCAPIERR_INVALID_TAG

Constants

Name Description Value
LC_MAX_SHORTKEYNAME_LEN Maximum length of the short key name (number of characters not including the terminating 0). 16
LC_MAX_LONGKEYNAME_LEN Maximum length of the long key name (number of characters not including the terminating 0). 256
LC_MAX_KEYGUID_LEN Maximum length of the key GUID (number of characters not including the terminating 0). 256
LC_MAX_ALGORITHM_LEN Maximum length of the encryption algorithm (number of characters not including the terminating 0) 16

Encryption Algorithm Names:

  • AES-256

  • AES-128

  • DES

  • 3DES

  • IDEA

  • XOR

Structures

COM

The COM implementation uses Enumerators to iterate through the encryption rules of a profile.

The COM-Enumerator is implemented through the interface IProfile:

interface IProfile : IDispatch

{

[propget, id(DISPID_VALUE), helpstring("method Item")]
HRESULT Item([in] VARIANT index, [out, retval] IEncRule** pItem);

[propget, id(1), helpstring("property Count")]
HRESULT Count([out, retval] long *pVal);

[propget, restricted, id(DISPID_NEWENUM)]
HRESULT _NewEnum([out, retval] LPUNKNOWN *pVal);

};

The IProfile implementation returns COM-Objects which implements the following interface:

interface IEncRule : IDispatch

{

[propget, id(1), helpstring("property Path")]
HRESULT Path([out, retval] BSTR *pVal);

[propget, id(2), helpstring("property Exclude")]
HRESULT Exclude([out, retval] BOOL *pVal);

[propget, id(3), helpstring("property Ignore")]
HRESULT Ignore([out, retval] BOOL *pVal);

[propget, id(4), helpstring("property Subdir")]
HRESULT Subdir([out, retval] BOOL *pVal);

[propget, id(5), helpstring("property EncOnly")]
HRESULT EncOnly([out, retval] BOOL *pVal);

[propget, id(6), helpstring("property ShortKeyName")]
HRESULT ShortKeyName([out, retval] BSTR *pVal);


[propget, id(7), helpstring("property LongKeyName")]
HRESULT LongKeyName([out, retval] BSTR *pVal);

[propget, id(8), helpstring("property KeyGUID")]
HRESULT KeyGUID([out, retval] BSTR *pVal);

[propget, id(9), helpstring("property EncryptionTag")]
HRESULT EncryptionTag([out,retval] BOOL *pVal);};


};

C++

The C++ implementation uses the structure ENCRULE which contains all elements of an encryption rule.

{

WCHAR wszPath[2*MAX_PATH];        // full path name of the encryption rule

BOOL bExclude;                    // exclude flag

BOOL bIgnore;                     // ignore flag

BOOL bSubdir;                     // include also subdirectories of wszPAth

BOOL bEncOnly;                    // only encrypted files can be accessed

BOOL bEncryptionTag;              // TRUE if wszPath is an ecryption tag

WCHAR wszShortKeyName[LC_MAX_SHORTKEYNAME_LEN+1];        // short keyname

WCHAR wszLongKeyName[LC_MAX_LONGKEYNAME_LEN+1];          // long short keyname

WCHAR wszKeyGUID[LC_MAX_KEYGUID_LEN+1];                  // key GUID


}; ENCRULE, *PENCRULE;

Function reference

ActivateEncryption

This method tells the driver to activate or deactivate the file encryption.

COM

HRESULT ActivateEncryption(
    LONG bActivateEncryption
);

C++

DWORD ActivateEncryption(
    BOOL bActivateEncryption
);

Parameters:

bActivateEncryption [in]

  • TRUE -> activate encryption
  • FALSE -> deactivate encryption

ClearProfile

Clears user profile. Call this function to delete currently loaded encryption rules.

COM

This method is not implemented for COM.

C++

DWORD ClearProfile ();

DecryptFile

This method decrypts a single file. Decryption is only allowed if no encryption rule is active for the file.

COM

HRESULT DecryptFile(
    BSTR strFileName
);

C++

DWORD DecryptFile(
    LPCWSTR strFileName
);

Parameters:

strFileName [in]

  • Fully qualified name of the file that should be decrypted. The file name must not contain any wildcards. Folders are not supported.

DeleteFile

This method securely deletes a single file. The encryption key is required to delete an encrypted file.

COM

HRESULT DeleteFile(
    BSTR strFileName
);

C++

DWORD DeleteFile(
    LPCWSTR strFileName
);

Parameters:

strFileName [in]

  • Fully qualified name of the file that should be deleted. The file name must not contain any wildcards. Folders are not supported.

EncryptFile

This method encrypts a single file. The file encryption may be rejected, if an encryption rule is active. It is possible to allow encryption of files if an encryption rule is active.

COM

HRESULT EncryptFile(
    BSTR     strFileName,
    BSTR     strTag,
    BSTR     strKey,
    VARIANT* strKeyName,
    VARIANT* strKeyGUID
);

C++

DWORD EncryptFile(
    LPCWSTR strFileName,
    LPCWSTR strTag,
    LPCWSTR strKey,
    LPWSTR  strKeyName,
    size_t  cchKeyName,
    LPWSTR  strKeyGUID,
    size_t  cchKeyGUID
);

Parameters:

strFileName [in]

  • Fully qualified name of the file that should be encrypted. The file name must not contain any wildcards. Folders are not supported.

strTag [in]

  • Encryption tag which should be used to encrypt the file. Set strTag to NULL or empty string if it should be ignored (see remark below).

strKey[in]

  • Encryption key which should be used to encrypt the file. The encryption key can be specified with the key GUID or with the short name of the key. Set strKey to NULL or empty string if it should be ignored (see remark below).

strKeyName [out]

  • Short key name if the file was encrypted successfully. If the C++ Interface is used, strKeyName must be big enough to store LC_MAX_SHORTKEYNAME_LEN+1 characters.

cchKeyName [in]

  • Size of strKeyName in characters.

strKeyGUID [out]

  • GUID of the key if the file was encrypted successfully. If the C++ Interface is used, strKeyGUID must be big enough to store LC_MAX_KEYGUID_LEN+1 characters.

cchKeyGUID [in]

  • Size of strKeyGUID in characters.

Note

  • The key which should be used to encrypt the file can either be specified using the parameter strTag or strKey, whereby strTag is used if both are present.

  • If neither strTag nor strKey is specified, the file is encrypted according to the current encryption rule. If no encryption rule is active, LCCAPIERR_INVALID_ARGUMENT is returned in this case.

GetEncryptionStatus

This method queries the encryption status of a single file.

COM

HRESULT GetEncryptionStatus(
    BSTR     strFileName
    VARIANT* bEncrypted,
    VARIANT* strKeyName,
    VARIANT* strKeyGUID,
VARIANT* strKeyAlgorithm
    VARIANT* bCompliant
    VARIANT* strProfileKeyName,
    VARIANT* strProfileKeyGUID,
    VARIANT* strProfileKeyAlgorithm
);

C++

WORD GetEncryptionStatus(
    LPCWSTR  strFileName,
    BOOL&    bEncrypted,
    LPWSTR   strKeyName,
    size_t   cchKeyName,
    LPWSTR   strKeyGUID,
    size_t   cchKeyGUID,
    LPWSTR   strKeyAlgorithm,
    size_t   cchKeyAlgorithm,
    BOOL&    bCompliant,
    LPWSTR   strProfileKeyName,
    size_t   cchProfileKeyName,
    LPWSTR   strProfileKeyGUID,
    size_t   cchProfileKeyGUID,
    LPWSTR   strProfileKeyAlgorithm,
    size_t   cchProfileKeyAlgorithm
);

Parameters:

strFileName [in]

  • Fully qualified name of the file for which the encryption status should be queried. The file name must not contain any wildcards. Folders are not supported.

bEncrypted [out]

  • TRUE the file is encrypted FALSE the file is not encrypted

strKeyName [out]

  • The short name of the key which is used to encrypt the file. The key name is only available if the key is available to the user. If no policies are loaded or the key is not included in the policy, strKeyName stays empty. If the C++ Interface is used, strKeyName must be big enough to store LC_MAX_SHORTKEYNAME_LEN+1 characters.

cchKeyName [in]

  • Size of strKeyName in characters.

strKeyGUID [out]

  • The GUID of the key which is used to encrypt the file. If the file is OFB encrypted, and the key is not available, the short key name is stored in strKeyGUID. If the C++ Interface is used, strKeyGUID must be big enough to store LC_MAX_KEYGUID_LEN+1 characters.

cchKeyGUID [in]

  • Size of strKeyGUID in characters.

strKeyAlgorithm [out]

  • The name of the algorithm which was used to encrypt the file. If no policies are loaded or the key is not included in the policy, strKeyAlgorithm stays empty. If the C++ Interface is used, strKeyAlgorithm must be big enough to store LC_MAX_ALGORITHM_LEN+1 characters.

cchKeyAlgorithm [in]

  • Size of strKeyAlgorithm in characters.

bCompliant [out]

  • TRUE the status of the file is according to the loaded encryption rules (this may be encrypted or plain) FALSE the file is plain, but should be encrypted according to the loaded encryption rules, or the file is encrypted but no encryption rule is active.

strProfileKeyName [out]

  • The short name of the key if an encryption rule is set for the specified file. If the C++ Interface is used, strProfileKeyName must be big enough to store LC_MAX_SHORTKEYNAME_LEN+1 characters.

cchProfileKeyName [in]

  • Size of strProfileKeyName in characters.

strProfileKeyGUID [out]

  • The GUID of the key if an encryption rule is set for the specified file. If the C++ Interface is used, strProfileKeyGUID must be big enough to store LC_MAX_KEYGUID_LEN+1 characters.

cchProfileKeyGUID [in]

  • Size of strProfileKeyGUID in characters.

strProfileKeyAlgorithm [out]

  • The algorithm name of the profile key. If the C++ Interface is used, strProfileKeyAlgorithm must be big enough to store LC_MAX_ALGORITHM_LEN+1 characters.

cchProfileKeyAlgorithm [in]

  • Size of strProfileKeyAlgorithm in characters.

GetProfile

Get the actual loaded conpal LAN Crypt Profile. The profile consists of one or more encryption rules.

COM

IProfile Profile()

Note

  • You can access the encryption rules in Visual Basic through the For Each-Statement or directly with the methods Item() and Count().

C++

DWORD GetProfile(
PENCRULE pEncRules, ULONG& ulEncRules
);

Parameters:

pEncRules [out]

  • pointer to an array of ENCRULE elements

ulEncRules [in/out]

  • total number of encryption rules in the profile

Note

  • To get the number of encryption rules in the profile set pEncRules to NULL.

GetStatus

This method queries the current status of the encryption client.

COM

HRESULT GetStatus(
  VARIANT* bDriverInstalled,
  VARIANT* bDriverRunning,
  VARIANT* bProfileLoaded,
  VARIANT* bEncryptionActive
  );

C++

DWORD GetStatus(
  BOOL& bDriverInstalled,
  BOOL& bDriverRunning,
  BOOL& bProfileLoaded,
  BOOL& bEncryptionActive
  );

Parameters:

bDriverInstalled [out]

  • TRUE encryption driver is installed

  • FALSE encryption driver is not installed

bDriverRunning [out]

  • TRUE encryption driver is active and running

  • FALSE encryption driver is not running

bProfileLoaded [out]

  • TRUE encryption rules are loaded

  • FALSE no encryption rules are loaded

bEncryptionActive [out]

  • TRUE transparent encryption is active

  • FALSE transparent encryption is deactivated or no policy is loaded

RefreshPolicy

Refresh the currently loaded policy. This method must be called from a user session and has no effect if it is called from a service. The policy will be loaded, even if it was unloaded before. Policy update fails if policy loader is not running.

The function returns immediately. No information is returned if a new policy was loaded successfully or not.

COM

HRESULT RefreshPolicy();

C++

DWORD RefreshPolicy();

SetTemporaryRule

This method sets a temporary encryption rule for a single file. Temporary encryption rules are automatically removed after the first file access or a timeout of 15 seconds.

If persistent encryption is enabled there is still an encryption rule for 15 seconds if the encrypted file was deleted after the temporary rule was removed.

COM

HRESULT SetTemporaryRule(
  BSTR strFileName,
  BSTR strTag,
  LONG lOptions
  );

C++

DWORD SetTemporaryRule(
  LPCWSTR strFileName,
  LPCWSTR strTag,
  LONG lOptions
  );

Parameters:

strFileName [in]

  • Name of the file for which the temporary encryption rule should be created. Relative paths are supported. The file name must not contain any wildcards. Folders are not supported.

strTag [in]

  • Encryption tag which should be used.

lOptions [in]

  • Additional options (currently not used, must be 0).

Command line tool

In addition to the COM and C++ API, a command line tool exists which provides selected functions.

The command line tool is installed together with the Client API and is located in the shared conpal 32-bit installation folder.

All output from the command line tool has the format:

name <tabulator>value [<tabulator> additional value [<tabulator> additional value]]

<tabulator> is displayed as ” →” in the example outputs below.

The error code is set to 0 in case of success or to one of the values mentioned in chapter 3.1.

Note

  • When the command line tool is called without parameters, a short help is displayed.

Display client status

SGFEAPI status

Shows the current status of the file encryption client.

Example:

c:\>SGFEAPI status
Encryption driver installed → yes
Encryption driver running → yes
Policy loaded → yes
Transparent encryption active → yes

Output:

Encryption driver installed

  • “yes” encryption driver is installed

  • “no” encryption driver is not installed

Encryption driver running

  • “yes” encryption driver is active and running

  • “no” encryption driver is not running

Policy loaded

  • “yes” encryption rules are loaded

  • “no” no encryption rules are loaded

Transparent encryption acrtive

  • “yes” transparent encryption is active

  • “no” transparent encryption is deactivated or no policy is loaded

Display activate rules

SGFEAPI status

Displays all rules which are currently loaded. All kind of rules are included (encryption rules, ignore rules, exclude rules, encryption tags and temporary rules).

The order of the rules is the same order how the rules are evaluated in the driver.

Example:

c:\>SGFEAPI rules
Path or Tag → Subfolder → Exclude → Ignore → Tag → Short key name → Long keyname → Key GUID

C:\WINDOWS\*.* → yes → no → yes → no

C:\PROGRAMME\CONPAL\LAN CRYPT\*.* → no → no → yes → no

\\SERVER2016\SHARE\CONFIDENTIAL\*.* → yes → no → no → no → $UK$BOARA046F0BE → $UK$ Board User 1 → {2B5A6F59-DCDB-48C1-918D-79C78EB36779}

\\SERVER\HOME\*.* → yes → no → no → no → $UK$BOARA046F0BE → $UK$ BoardUser 1 → {2B5A6F59-DCDB-48C1-918D-79C78EB36779}

Output:

In the first line a heading is printed, then for each rule a new line is displayed with tabulator separated values:

Path or Tag

  • The path for which the rule is active or the name of the encryption tag

Subfolder

  • “yes” the rule is active for the path and all subfolders

  • “no” the rule is only active for the path

Exclude

  • “yes” the specified path is excluded from the encryption

  • “no” the specified path is not excluded from encryption (e.g. encryption rule)

Ignore

  • “yes” the specified path is ignored from the encryption

  • “no” the specified path is not ignored from the encryption (e.g. encryption rule)

Tag

  • “yes” the rule is an encryption tag and “Path or Tag” is the name of the tag

  • “no” this is an encryption, ignore or exclude rule

Short key name

  • Short name of the key which is used to encrypt the files. Only valid for encryption rules and encryption tags.

Long key name

  • Long name of the key which is used to encrypt the files. Only valid for encryption rules and encryption tags.

Key GUID

  • GUID of the key which is used to encrypt the files. Only valid for encryption rules and encryption tags.

Display file encryption status

SGFEAPI encstatus [filename]

Displays the encryption status of a single file. The filename must be fully qualified without any wildcards.

Only single files can be queried, folders or multiple files are not supported.

Example:

c:\>SGFEAPI encstatus c:\encrypt\test.txt
Encrypted → yes Encrypted with key → $GK$TESTDOMAIN → {9F267228-82DA-4B57-AE1B-096AB62BAA5C} → AES-256
Profile compliant → yes
Profile key → $GK$TESTDOMAIN → {9F267228-82DA-4B57-AE1B-096AB62BAA5C} → AES-256

c:\>SGFEAPI encstatus c:\encrypt\plain.txt
Encrypted → no
Encrypted with key → →
Profile compliant → no
Profile key → $GK$TESTDOMAIN {9F267228-82DA-4B57-AE1B-096AB62BAA5C}

Output:

Encrypted

“yes” the file is encrypted

“no” the file is not encrypted

Encrypted with key

  • Short key name, key GUID and key algorithm separated with tabulator if the file is encrypted. Empty if the file is not encrypted.The short name of the key and encryption algorithm are only displayed if the key is available in the user’s key ring.

Profile compliant

  • “yes” if the file is encrypted according to an encryption rule or if the file is not encrypted and there is no encryption rule set.

  • “no” if the file should be encrypted because of an encryption rule but it is not encrypted or encrypted with another key or if the file is encrypted, but no encryption rule is active.

Profile key

  • Short key name, key GUID and key algorithm if an encryption rule is set for the specified file. Empty if no encryption rule is set.

Encrypt a single file

SGFEAPI encrypt /Tag:[tagname] [filename]

SGFEAPI encrypt /T:[tagname] [filename]

SGFEAPI encrypt /Key:[key GUID] [filename]

SGFEAPI encrypt /K:[key GUID] [filename]

SGFEAPI encrypt /Key:[key short name] [filename]

SGFEAPI encrypt /K:[key short name] [filename]

SGFEAPI encrypt [filename]

Encrypts a single file with the key administered for the specified encryption tag or with a given key. If both encryption tag and encryption key are specified, the encryption tag is used for encryption. Encryption is only allowed if no encryption rule is active for the file.

If only the filename is specified without an encryption tag or key, the file is encrypted according to the active encryption rule.

The filename must be fully qualified without any wildcards. Only single files can be encrypted, folders or multiple files are not supported.

Example:

c:\>SGFEAPI encrypt /T:CONFIDENTIAL c:\test\file.txt
Encrypted with key → KEY3 → {8E716D53-EF3A-475D-8344-7227C380EE48}

c:\>SGFEAPI encrypt c:\test\file.txt /K:KEY3
Encrypted with key → KEY3 → {8E716D53-EF3A-475D-8344-7227C380EE48}

c:\>SGFEAPI encrypt c:\test\file.txt
Encrypted with key → $GK$TESTDOMAIN → {9F267228-82DA-4B57-AE1B-096AB62BAA5C}

Output:

Encrypted with key

  • Short name and GUID of the key which was used to encrypt the file. This is the key which is configured for the specified encryption tag.

Refresh encryption policies

SGFEAPI refresh

Example:

c:\>SGFEAPI refresh
Triggered policy refresh

Starts an update of the loaded policies or loads tries to load the policy if it was not loaded before. No error is returned if the policy cannot be loaded.


Examples

Example Code (VB Script)

********************** SGFEClientAPI TestScript ***********

Dim api
Dim profile
Dim encRule

'*** Create SGFEClientAPI Object ***
set api = WScript.CreateObject("SGFECLIENTAPI.SGFEClientApi")

'*** Get loaded profile ***
set profile = api.profile

'*** Show all encryption rules in profile ***
for each encRule in profile
    WScript.Echo "Path: " & encRule.Path & vbCrLf & _
        "Ignore: " & encRule.Ignore & vbCrLf & _
        "Exclude: " & encRule.Exclude & vbCrLf & _
        "EncOnly: " & encRule.EncOnly & vbCrLf & _
        "Subdir: " & encRule.Subdir & vbCrLf & _
        "EncTag: " & encRule.EncryptionTag & vbCrLf & _
        "ShortKeyName: " & encRule.ShortKeyName & vbCrLf & _
        "LongKeyName: " & encRule.LongKeyName & vbCrLf & _
        "KeyGUID: " & encRule.KeyGUID
next

Example Code (C++)

///////////////////////////////////////////////////////////////////////////
// Console application to demonstrate the conpal File Encryption API
///////////////////////////////////////////////////////////////////////////

#include "stdafx.h"
#include "TestClientApiCpp.h"
#include "SGFECoreClientApi.h"


#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif


CWinApp theApp;

using namespace std;

int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
    int nRetCode = 0;

    if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
    {
        cerr << _T("Fatal Error: MFC initialization failed") << endl;
        nRetCode = 1;
    }
    else
    {
    CSGFECoreClientApi api;
    ULONG ulEncRules = 0;
    ENCRULE *pEncRules;
    DWORD uswErr = LCCAPIERR_OK;
    WCHAR buf[256];
    int i;

    // Get the number of encryption rules
    uswErr = api.GetProfile(NULL, ulEncRules);
    if (uswErr != LCCAPIERR_INVALID_ARGUMENT)
    {
        wprintf(L"uswErr: %d\n", uswErr);
        return uswErr;
    }

    pEncRules = (ENCRULE*)malloc(ulEncRules * sizeof(ENCRULE));

    // Get the encryption rules
    uswErr = api.GetProfile(pEncRules, ulEncRules);

    if (uswErr == LCCAPIERR_OK)
    {
        wprintf(L"ulEncRules: %d\n", ulEncRules);
        wprintf(L"\n");

        for (i=0; i<ulEncRules; i++)
        {
            wprintf(L"wszPath: %s\n", pEncRules[i].wszPath);
            wprintf(L"bExclude: %d\n", pEncRules[i].bExclude);
            wprintf(L"bIgnore: %d\n", pEncRules[i].bIgnore);
            wprintf(L"bSubdir: %d\n", pEncRules[i].bSubdir);
            wprintf(L"bEncOnly: %d\n", pEncRules[i].bEncOnly);
            wprintf(L"szKeyName: %s\n", pEncRules[i].wszShortKeyName);
            wprintf(L"wszKeyName: %s\n", pEncRules[i].wszLongKeyName);
            wprintf(L"wszKeyGUID: %s\n", pEncRules[i].wszKeyGUID);
            wprintf(L"\n");
        }
    }
    free(pEncRules);
    }

    return nRetCode;
}

Copyright © 2018 - 2022 conpal GmbH, 1996 - 2018 Sophos Limited and Sophos Group. All rights reserved. Conpal is a registered trademark of conpal GmbH.

All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid license where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

You find copyright information on third party suppliers in the 3rd Party Software document in your product directory.