u.trust LAN Crypt Client API
- Overview
- API changes
- Detailed Function Reference
- Examples
- Legal notices
Overview
The API described in this document is used to access u.trust LAN Crypt File Encryption Client functionality through an API. A new type of rules – so called encryption tags – can be used that allows external applications to control encryption. Encryption tags map a tag to a special key and allow triggering the encryption of files with certain keys via the API.
The API allows two ways to access encryption u.trust LAN Crypt File encryption functionality:
-
A command line tool
-
A COM interface
Following figure shows the main parts of the API:
The API can only be used with an installed CP File Filter. The API requires a profile to be loaded and the API has access to the keys in the loaded profile.
The API provides several functions that control the File Encryption. The command line tool can be used without any Authentication and provides a limited set of functions than the COM API.
Authentication is based on Microsoft Authenticode:
-
The access to the COM API can be restricted to specific applications that are Authenticode signed.
-
Furthermore, the access to the COM API can be restricted to Authenticode signed applications that are Authenticode signed with a specific certificate.
Functionality overview
Following table lists the available functionality for the command line tool as well as the COM API.
Functionality | Command Line Tool (Parameter) | COM API (Function) |
---|---|---|
Allow to retrieve status information via the API | status | GetStatus |
Retrieve encryption rules | rules | GetProfile |
Allow to retrieve the encryption status of a file | encstatus | GetEncryptionStatus |
Encrypt or re-encrypt a file | encrypt | EncryptFile |
Refresh encryption policies | refresh | RefreshPolicy |
Decrypt a file | Not Possible | DecryptFile |
Secure delete of a file | Not Possible | DeleteFile |
Temporarily set an encryption rule | Not Possible | SetTemporaryRule |
Turn on/off encryption | Not Possible | ActivateEncrpytion |
Allow access to API only to trusted apps | Not Possible | Yes |
In addition to Windows, u.trust LAN Crypt also supports macOS as well as Android and iOS for mobile devices.
General configuration of the API
Following general configuration of the SGNFE API can be done via the CP LAN Crypt Administration:
-
The SGFE API must be generally enabled.
-
The use of the command line tool on the client can be enabled / disabled via a central setting.
-
The priority of the different rule types can be defined (e.g. Encryption tags have precedence for all other rules)
-
Allowed Applications can be defined that define the applications that are allowed to access the API.
-
Trusted Vendors can be defined that restrict the access to the API to applications from specific vendors (via certificates).
For further details, please see the u.trust LAN Crypt Administrator Help.
Encryption tags
For the encryption function EncryptFile respectively the encrypt parameter of the command line Encryption tags can be used. These encryption tags are a new type of File Encryption rules that map a tag to a key. Encryption tags can be defined similar to encryption rules in the Admin and get transferred to the client via the profile.
Example:
Following encryption tag is defined in the administration and available on the client:
TAG: Confidential, Key: <KEY-X-GUIDY>
Following call of the command line:
SGFEAPI encrypt /Tag:CONFIDENTIAL c:\encrypt.doc
Will result in encrypting the file c:\encrypt.doc with the KEY-X-GUID.
API changes
Changes in 11.0.0
- No changes in the utilization of the COM API
Changes in 4.2.0
- No changes in the utilization of the COM API
Changes in 4.1.0
API version 4.1.0 is part of u.trust LAN Crypt Client 4.1.0.
New API functions:
- ClearProfile
Changes in 4.0.0
- No changes in the utilization of the API
Changes in 3.97
- The API Version 3.97 is the new base version of documented API changes
Detailed Function Reference
General
The COM API is implemented in the class CSGFEClientApi. Classes are exported from SGFEClientAPI.DLL. The methods of the classes are described in the following chapters. The API is part of the u.trust LAN Crypt Client. The client API must be installed and enabled in the u.trust LAN Crypt Administration. All applications which are using the client API must be configured in the u.trust LAN Crypt Administration.
Note
- All functions return LCCAPIERR_OK if successful or an error code if an error occurred.
All parameters are required – that means that all parameters have to be provided and all parameters must contain valid values.
Error codes are defined as follows:
Code | Description | Name |
---|---|---|
0 | The Function succeeded normally. | LCCAPIERR_OK |
1 | General Failure. This indicates an error in the provided data as well as an internal error. | LCCAPIERR_GENERAL_ERROR |
2 | The Argument passed is of an invalid type. This happens in conjunction with [in/out] parameters passed to. | LCCAPIERR_INVALID_ARGUMENT |
3 | The function cannot be executed, because no encryption rules are loaded. | LCCAPIERR_NO_PROFILE_LOADED |
4 | The current process is not allowed to use the API function. To enable the process, configure the client API in the u.trust LAN Crypt Administration. | LCCAPIERR_PROCESS_NOT_ALLOWED |
5 | The specified file does not exist or cannot be accessed. | LCCAPIERR_FILE_NOT_FOUND |
6 | The file cannot be encrypted or decrypted, because it would result in a conflict with an existing encryption rule. | LCCAPIERR_RULE_CONFLICT |
7 | The encryption key is not available or does not exist. | LCCAPIERR_KEY_NOT_AVAILABLE |
8 | The specified encryption tag does not exist. | LCCAPIERR_INVALID_TAG |
Constants
Name | Description | Value |
---|---|---|
LC_MAX_SHORTKEYNAME_LEN | Maximum length of the short key name (number of characters not including the terminating 0). | 16 |
LC_MAX_LONGKEYNAME_LEN | Maximum length of the long key name (number of characters not including the terminating 0). | 256 |
LC_MAX_KEYGUID_LEN | Maximum length of the key GUID (number of characters not including the terminating 0). | 256 |
LC_MAX_ALGORITHM_LEN | Maximum length of the encryption algorithm (number of characters not including the terminating 0) | 16 |
Encryption Algorithm Names:
-
AES-256
-
AES-128
-
DES
-
3DES
-
IDEA
-
XOR
Structures
COM
The COM implementation uses Enumerators to iterate through the encryption rules of a profile.
The COM-Enumerator is implemented through the interface IProfile:
interface IProfile : IDispatch
{
[propget, id(DISPID_VALUE), helpstring("method Item")]
HRESULT Item([in] VARIANT index, [out, retval] IEncRule** pItem);
[propget, id(1), helpstring("property Count")]
HRESULT Count([out, retval] long *pVal);
[propget, restricted, id(DISPID_NEWENUM)]
HRESULT _NewEnum([out, retval] LPUNKNOWN *pVal);
};
The IProfile implementation returns COM-Objects which implements the following interface:
interface IEncRule : IDispatch
{
[propget, id(1), helpstring("property Path")]
HRESULT Path([out, retval] BSTR *pVal);
[propget, id(2), helpstring("property Exclude")]
HRESULT Exclude([out, retval] BOOL *pVal);
[propget, id(3), helpstring("property Ignore")]
HRESULT Ignore([out, retval] BOOL *pVal);
[propget, id(4), helpstring("property Subdir")]
HRESULT Subdir([out, retval] BOOL *pVal);
[propget, id(5), helpstring("property EncOnly")]
HRESULT EncOnly([out, retval] BOOL *pVal);
[propget, id(6), helpstring("property ShortKeyName")]
HRESULT ShortKeyName([out, retval] BSTR *pVal);
[propget, id(7), helpstring("property LongKeyName")]
HRESULT LongKeyName([out, retval] BSTR *pVal);
[propget, id(8), helpstring("property KeyGUID")]
HRESULT KeyGUID([out, retval] BSTR *pVal);
[propget, id(9), helpstring("property EncryptionTag")]
HRESULT EncryptionTag([out,retval] BOOL *pVal);};
};
Function reference
ActivateEncryption
This method tells the driver to activate or deactivate the file encryption.
COM
HRESULT ActivateEncryption(
LONG bActivateEncryption
);
Parameters:
bActivateEncryption [in]
- TRUE -> activate encryption
- FALSE -> deactivate encryption
ClearProfile
Clears user profile. Call this function to delete currently loaded encryption rules.
COM
This method is not implemented for COM.
DecryptFile
This method decrypts a single file. Decryption is only allowed if no encryption rule is active for the file.
COM
HRESULT DecryptFile(
BSTR strFileName
);
Parameters:
strFileName [in]
- Fully qualified name of the file that should be decrypted. The file name must not contain any wildcards. Folders are not supported.
DeleteFile
This method securely deletes a single file. The encryption key is required to delete an encrypted file.
COM
HRESULT DeleteFile(
BSTR strFileName
);
Parameters:
strFileName [in]
- Fully qualified name of the file that should be deleted. The file name must not contain any wildcards. Folders are not supported.
EncryptFile
This method encrypts a single file. The file encryption may be rejected, if an encryption rule is active. It is possible to allow encryption of files if an encryption rule is active.
COM
HRESULT EncryptFile(
BSTR strFileName,
BSTR strTag,
BSTR strKey,
VARIANT* strKeyName,
VARIANT* strKeyGUID
);
Parameters:
strFileName [in]
- Fully qualified name of the file that should be encrypted. The file name must not contain any wildcards. Folders are not supported.
strTag [in]
- Encryption tag which should be used to encrypt the file. Set strTag to NULL or empty string if it should be ignored (see remark below).
strKey[in]
- Encryption key which should be used to encrypt the file. The encryption key can be specified with the key GUID or with the short name of the key. Set strKey to NULL or empty string if it should be ignored (see remark below).
strKeyName [out]
- Short key name if the file was encrypted successfully.
cchKeyName [in]
- Size of strKeyName in characters.
strKeyGUID [out]
- GUID of the key if the file was encrypted successfully.
cchKeyGUID [in]
- Size of strKeyGUID in characters.
Note
The key which should be used to encrypt the file can either be specified using the parameter strTag or strKey, whereby strTag is used if both are present.
If neither strTag nor strKey is specified, the file is encrypted according to the current encryption rule. If no encryption rule is active, LCCAPIERR_INVALID_ARGUMENT is returned in this case.
GetEncryptionStatus
This method queries the encryption status of a single file.
COM
HRESULT GetEncryptionStatus(
BSTR strFileName
VARIANT* bEncrypted,
VARIANT* strKeyName,
VARIANT* strKeyGUID,
VARIANT* strKeyAlgorithm
VARIANT* bCompliant
VARIANT* strProfileKeyName,
VARIANT* strProfileKeyGUID,
VARIANT* strProfileKeyAlgorithm
);
Parameters:
strFileName [in]
- Fully qualified name of the file for which the encryption status should be queried. The file name must not contain any wildcards. Folders are not supported.
bEncrypted [out]
- TRUE the file is encrypted FALSE the file is not encrypted
strKeyName [out]
- The short name of the key which is used to encrypt the file. The key name is only available if the key is available to the user. If no policies are loaded or the key is not included in the policy, strKeyName stays empty.
cchKeyName [in]
- Size of strKeyName in characters.
strKeyGUID [out]
- The GUID of the key which is used to encrypt the file. If the file is OFB encrypted, and the key is not available, the short key name is stored in strKeyGUID.
cchKeyGUID [in]
- Size of strKeyGUID in characters.
strKeyAlgorithm [out]
- The name of the algorithm which was used to encrypt the file. If no policies are loaded or the key is not included in the policy, strKeyAlgorithm stays empty.
cchKeyAlgorithm [in]
- Size of strKeyAlgorithm in characters.
bCompliant [out]
- TRUE the status of the file is according to the loaded encryption rules (this may be encrypted or plain) FALSE the file is plain, but should be encrypted according to the loaded encryption rules, or the file is encrypted but no encryption rule is active.
strProfileKeyName [out]
- The short name of the key if an encryption rule is set for the specified file.
cchProfileKeyName [in]
- Size of strProfileKeyName in characters.
strProfileKeyGUID [out]
- The GUID of the key if an encryption rule is set for the specified file.
cchProfileKeyGUID [in]
- Size of strProfileKeyGUID in characters.
strProfileKeyAlgorithm [out]
- The algorithm name of the profile key.
cchProfileKeyAlgorithm [in]
- Size of strProfileKeyAlgorithm in characters.
GetProfile
Get the actual loaded u.trust LAN Crypt Profile. The profile consists of one or more encryption rules.
COM
IProfile Profile()
Note
- You can access the encryption rules in Visual Basic through the For Each-Statement or directly with the methods Item() and Count().
Parameters:
pEncRules [out]
- pointer to an array of ENCRULE elements
ulEncRules [in/out]
- total number of encryption rules in the profile
Note
- To get the number of encryption rules in the profile set pEncRules to NULL.
GetStatus
This method queries the current status of the encryption client.
COM
HRESULT GetStatus(
VARIANT* bDriverInstalled,
VARIANT* bDriverRunning,
VARIANT* bProfileLoaded,
VARIANT* bEncryptionActive
);
Parameters:
bDriverInstalled [out]
-
TRUE encryption driver is installed
-
FALSE encryption driver is not installed
bDriverRunning [out]
-
TRUE encryption driver is active and running
-
FALSE encryption driver is not running
bProfileLoaded [out]
-
TRUE encryption rules are loaded
-
FALSE no encryption rules are loaded
bEncryptionActive [out]
-
TRUE transparent encryption is active
-
FALSE transparent encryption is deactivated or no policy is loaded
RefreshPolicy
Refresh the currently loaded policy. This method must be called from a user session and has no effect if it is called from a service. The policy will be loaded, even if it was unloaded before. Policy update fails if policy loader is not running.
The function returns immediately. No information is returned if a new policy was loaded successfully or not.
COM
HRESULT RefreshPolicy();
SetTemporaryRule
This method sets a temporary encryption rule for a single file. Temporary encryption rules are automatically removed after the first file access or a timeout of 15 seconds.
If persistent encryption is enabled there is still an encryption rule for 15 seconds if the encrypted file was deleted after the temporary rule was removed.
COM
HRESULT SetTemporaryRule(
BSTR strFileName,
BSTR strTag,
LONG lOptions
);
Parameters:
strFileName [in]
- Name of the file for which the temporary encryption rule should be created. Relative paths are supported. The file name must not contain any wildcards. Folders are not supported.
strTag [in]
- Encryption tag which should be used.
lOptions [in]
- Additional options (currently not used, must be 0).
Command line tool
In addition to the COM API, a command line tool exists which provides selected functions.
The command line tool is installed together with the Client API and is located in the shared Utimaco 32-bit installation folder.
All output from the command line tool has the format:
name <tabulator>value [<tabulator> additional value [<tabulator> additional value]]
<tabulator>
is displayed as ” →” in the example outputs below.
The error code is set to 0 in case of success or to one of the values mentioned in chapter 3.1.
Note
- When the command line tool is called without parameters, a short help is displayed.
Display client status
SGFEAPI status
Shows the current status of the file encryption client.
Example:
c:\>SGFEAPI status
Encryption driver installed → yes
Encryption driver running → yes
Policy loaded → yes
Transparent encryption active → yes
Output:
Encryption driver installed
-
“yes” encryption driver is installed
-
“no” encryption driver is not installed
Encryption driver running
-
“yes” encryption driver is active and running
-
“no” encryption driver is not running
Policy loaded
-
“yes” encryption rules are loaded
-
“no” no encryption rules are loaded
Transparent encryption acrtive
-
“yes” transparent encryption is active
-
“no” transparent encryption is deactivated or no policy is loaded
Display activate rules
SGFEAPI rules
Displays all rules which are currently loaded. All kind of rules are included (encryption rules, ignore rules, exclude rules, encryption tags and temporary rules).
The order of the rules is the same order how the rules are evaluated in the driver.
Example:
c:\>SGFEAPI rules
Path or Tag → Subfolder → Exclude → Ignore → Tag → Short key name → Long key
name → Key GUID
C:\WINDOWS\*.* → yes → no → yes → no
C:\PROGRAM FILES\UTIMACO\U.TRUST LAN CRYPT\APPS\*.* → no → no → yes → no
\\SERVER2016\SHARE\CONFIDENTIAL\*.* → yes → no → no → no → $UK$BOARA046F0
BE → $UK$ Board User 1 → {2B5A6F59-DCDB-48C1-918D-79C78EB36779}
\\SERVER\HOME\*.* → yes → no → no → no → $UK$BOARA046F0BE → $UK$ Board
User 1 → {2B5A6F59-DCDB-48C1-918D-79C78EB36779}
Output:
In the first line a heading is printed, then for each rule a new line is displayed with tabulator separated values:
Path or Tag
- The path for which the rule is active or the name of the encryption tag
Subfolder
-
“yes” the rule is active for the path and all subfolders
-
“no” the rule is only active for the path
Exclude
-
“yes” the specified path is excluded from the encryption
-
“no” the specified path is not excluded from encryption (e.g. encryption rule)
Ignore
-
“yes” the specified path is ignored from the encryption
-
“no” the specified path is not ignored from the encryption (e.g. encryption rule)
Tag
-
“yes” the rule is an encryption tag and “Path or Tag” is the name of the tag
-
“no” this is an encryption, ignore or exclude rule
Short key name
- Short name of the key which is used to encrypt the files. Only valid for encryption rules and encryption tags.
Long key name
- Long name of the key which is used to encrypt the files. Only valid for encryption rules and encryption tags.
Key GUID
- GUID of the key which is used to encrypt the files. Only valid for encryption rules and encryption tags.
Display file encryption status
SGFEAPI encstatus [filename]
Displays the encryption status of a single file. The filename must be fully qualified without any wildcards.
Only single files can be queried, folders or multiple files are not supported.
Example:
c:\>SGFEAPI encstatus c:\encrypt\test.txt
Encrypted → yes Encrypted with key → $GK$TESTDOMAIN → {9F267228-82DA-4B57-AE1B-096AB62BAA5 C} → AES-256
Profile compliant → yes
Profile key → $GK$TESTDOMAIN → {9F267228-82DA-4B57-AE1B-096AB62BAA5C} → AES-256
c:\>SGFEAPI encstatus c:\encrypt\plain.txt
Encrypted → no
Encrypted with key → →
Profile compliant → no
Profile key → $GK$TESTDOMAIN {9F267228-82DA-4B57-AE1B-096AB62BAA5C}
Output:
Encrypted
“yes” the file is encrypted
“no” the file is not encrypted
Encrypted with key
- Short key name, key GUID and key algorithm separated with tabulator if the file is encrypted. Empty if the file is not encrypted.The short name of the key and encryption algorithm are only displayed if the key is available in the user’s key ring.
Profile compliant
-
“yes” if the file is encrypted according to an encryption rule or if the file is not encrypted and there is no encryption rule set.
-
“no” if the file should be encrypted because of an encryption rule but it is not encrypted or encrypted with another key or if the file is encrypted, but no encryption rule is active.
Profile key
- Short key name, key GUID and key algorithm if an encryption rule is set for the specified file. Empty if no encryption rule is set.
Encrypt a single file
SGFEAPI encrypt /Tag:[tagname] [filename]
SGFEAPI encrypt /T:[tagname] [filename]
SGFEAPI encrypt /Key:[key GUID] [filename]
SGFEAPI encrypt /K:[key GUID] [filename]
SGFEAPI encrypt /Key:[key short name] [filename]
SGFEAPI encrypt /K:[key short name] [filename]
SGFEAPI encrypt [filename]
Encrypts a single file with the key administered for the specified encryption tag or with a given key. If both encryption tag and encryption key are specified, the encryption tag is used for encryption. Encryption is only allowed if no encryption rule is active for the file.
If only the filename is specified without an encryption tag or key, the file is encrypted according to the active encryption rule.
The filename must be fully qualified without any wildcards. Only single files can be encrypted, folders or multiple files are not supported.
Example:
c:\>SGFEAPI encrypt /T:CONFIDENTIAL c:\test\file.txt
Encrypted with key → KEY3 → {8E716D53-EF3A-475D-8344-7227C380EE48}
c:\>SGFEAPI encrypt c:\test\file.txt /K:KEY3
Encrypted with key → KEY3 → {8E716D53-EF3A-475D-8344-7227C380EE48}
c:\>SGFEAPI encrypt c:\test\file.txt
Encrypted with key → $GK$TESTDOMAIN → {9F267228-82DA-4B57-AE1B-096AB62BAA5C}
Output:
Encrypted with key
- Short name and GUID of the key which was used to encrypt the file. This is the key which is configured for the specified encryption tag.
Refresh encryption policies
SGFEAPI refresh
Example:
c:\>SGFEAPI refresh
Triggered policy refresh
Starts an update of the loaded policies or loads tries to load the policy if it was not loaded before. No error is returned if the policy cannot be loaded.
Examples
Example Code (VB Script)
********************** SGFEClientAPI TestScript ***********
Dim api
Dim profile
Dim encRule
'*** Create SGFEClientAPI Object ***
set api = WScript.CreateObject("SGFECLIENTAPI.SGFEClientApi")
'*** Get loaded profile ***
set profile = api.profile
'*** Show all encryption rules in profile ***
for each encRule in profile
WScript.Echo "Path: " & encRule.Path & vbCrLf & _
"Ignore: " & encRule.Ignore & vbCrLf & _
"Exclude: " & encRule.Exclude & vbCrLf & _
"EncOnly: " & encRule.EncOnly & vbCrLf & _
"Subdir: " & encRule.Subdir & vbCrLf & _
"EncTag: " & encRule.EncryptionTag & vbCrLf & _
"ShortKeyName: " & encRule.ShortKeyName & vbCrLf & _
"LongKeyName: " & encRule.LongKeyName & vbCrLf & _
"KeyGUID: " & encRule.KeyGUID
next
Legal notices
Copyright © 2024 Utimaco IS GmbH, 2018 - 2024 conpal GmbH, 1996 - 2018 Sophos Limited and Sophos Group. All rights reserved. conpal®, AccessOn® and AuthomaticOn® are registered trademarks of conpal GmbH.
All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid license where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.
You find copyright information on third party suppliers in the 3rd Party Software document in your product directory.
Last updated 27.03.2024