LAN Crypt Administration: Migration from On-Premises to the Cloud
- Overview of the cloud migration
- Pre-Check
- Preparing the services
- Performing the migration
- Technical support
- Legal notice
Overview of the cloud migration
This migration guide walks you step by step through the complete process of migrating all users, groups, and encryption rules from an on-premises installation of LAN Crypt Administration to LAN Crypt Cloud Administration.
The migration is divided into three central steps:
Pre-Check
Verification of the technical prerequisites for a successful migration.
Preparing the Services
- Registration with LAN Crypt Cloud and preparation of the services used before starting the migration.
- Setting up synchronization between Microsoft Entra ID and Active Directory, followed by connecting Microsoft Entra ID to LAN Crypt Cloud Administration.
- Optional integration of a Utimaco ESKM for external key management.
Performing the Migration
- Export of the data from LAN Crypt On-Premises Administration.
- Import of the data into LAN Crypt Cloud Administration.
Note
- After a successful migration, additional configuration options automatically become available within the Cloud Administration. These supplement the regular configuration options and relate primarily to the management of LAN Crypt Windows clients.
Pre-Check
Before the actual migration process is started, the on-premises instance of LAN Crypt Administration in use should first be checked for compatibility.
Neither LAN Crypt Cloud nor Microsoft Entra ID supports a structural arrangement of groups and users into organizational units (OUs). If your organization uses organizational units within the on-premises Administration, these will not be carried over as part of the migration process.
LAN Crypt Cloud Administration requires a valid email address for every user. Therefore, make sure that locally or manually created users in the on-premises Administration have a valid email address on file. When using Active Directory, the assignment of users to their Entra ID account is performed automatically via a unique identifier - the objectGUID (Active Directory) or the on-premises immutable ID (Entra ID).
Note
Migration to LAN Crypt Cloud is only possible with LAN Crypt On-Premises Administration version 11 or higher.
LAN Crypt Cloud exclusively supports AES-256 keys. Keys with other algorithms are not migrated to LAN Crypt Cloud. Files that were encrypted with such keys cannot be read by clients.
Preparing the services
Before the migration can be performed, the following prerequisites must be met:
-
A LAN Crypt Cloud account for administration must be set up.
-
If LAN Crypt On-Premises Administration is used in combination with Active Directory, Active Directory must first be synchronized with Microsoft Entra ID before a connection between Microsoft Entra ID and LAN Crypt Cloud can be established, in order to continue using existing user and group objects.
-
Optionally, an external key server can be prepared in order to store the cryptographic keys outside the cloud on a Utimaco Enterprise Key Management Appliance (ESKM), thereby achieving an even higher level of security.
Registration and login as an administrator with LAN Crypt Cloud
Using LAN Crypt Cloud Administration requires registering a u.trust LAN Crypt Cloud account.
Once you have successfully completed the registration process, an email to activate your account is sent to the address provided. To activate the registered account, the activation link in the email must be opened within the next 24 hours. If the registered account is not activated within this period, the account is automatically deleted. After the account has been activated, the email address provided and the chosen password serve as the login credentials.
Synchronization of user and group objects from Active Directory
Note
- This chapter is only relevant if users and groups from Active Directory are used in LAN Crypt On-Premises Administration. If only local users and groups are used, this chapter can be skipped.
Since LAN Crypt Cloud is operated as a cloud service, direct access to the local Active Directory is not possible. User and group objects from Active Directory must therefore be synchronized with Microsoft Entra ID beforehand in order to make them available in LAN Crypt Cloud Administration in the next step.
Synchronization of Active Directory with Microsoft Entra ID
For synchronizing on-premises Active Directory objects to the cloud, Microsoft provides the tools Cloud Sync and Cloud Connect.
Note
- The use of Cloud Sync is recommended, as it is generally easier to configure and operate, provided there are no special requirements that necessitate the use of Cloud Connect.
Follow Microsoft’s instructions to create a Microsoft Entra tenant and synchronize your Active Directory users and groups with Microsoft Entra ID.
All relevant user and group objects must be synchronized with Microsoft Entra ID so that LAN Crypt Cloud can automatically assign keys and assets during the migration. LAN Crypt Cloud does not create users or groups from Active Directory objects. Assigning existing keys is only possible if the objects were previously provisioned via Microsoft Entra ID.
Setting up the Microsoft Entra ID connection to LAN Crypt Cloud
After synchronization of Active Directory with Microsoft Entra ID has been set up, the connection between Microsoft Entra ID and LAN Crypt Cloud can be established.
A detailed description of this process can be found in the corresponding documentation in the LAN Crypt Cloud Admin documentation.
(Optional) Setting up a key server
By default, LAN Crypt Cloud stores all data in the cloud, including the keys for encryption processes. Utimaco employs comprehensive security measures and, in particular, protects the cryptographic keys with a high level of security.
If you do not want to store your encryption keys in the cloud, you have the option of using a Utimaco Enterprise Secure Key Manager (ESKM). With this appliance, the keys can be stored and managed outside the cloud.
Detailed information on ESKM support in LAN Crypt Cloud can be found in the LAN Crypt Cloud Admin documentation.
Note
- The integration of an ESKM server can in principle also be carried out at a later point in time. In this case, however, the external key management applies exclusively to newly created encryption keys. For the migration of on-premises data, it is therefore recommended to make the decision for or against the use of an ESKM before importing the data into LAN Crypt Cloud, and to configure the ESKM server accordingly in the settings of the LAN Crypt Cloud account.
Performing the migration
After a successful Pre-Check as well as the successful setup of all required connections and the completion of all synchronization processes, the migration of LAN Crypt On-Premises Administration can be performed.
The migration is carried out in two consecutive steps:
Step 1: Export of the on-premises administration data
The export of the existing administration data is performed using the command-line tool LCOnPremExport.exe.
Note
LCOnPremExport.exeis provided on request by customer support.
Step 2: Import of the data into LAN Crypt Cloud
The previously exported data is then imported into LAN Crypt Cloud Administration using the command-line tool LCCloudImport.exe.
Note
LCCloudImport.execan be downloaded in LAN Crypt Cloud Administration under Manage account → Downloads.
Export from the On-Premises Environment
Run the command-line tool LCOnPremExport.exe to export the contents of the LAN Crypt administration database to a password-protected migration file.
Since the tool requires direct access to the LAN Crypt database, it must be run on the same system on which the CheckDatabase tool is usually used as well.
In the following example, an export file named LCOnPrem.zip is created using the MSO account:
LCOnPremExport.exe -s MSO -f LCOnPrem
During the export process, you are prompted to enter a password. This password protects the generated ZIP file using AES-256 encryption.
Note
- Remember the password, as it is later mandatorily required for the import into LAN Crypt Cloud.
After the export is complete, the tool outputs a summary of the exported data. At the end, a success message like this should appear:
**** The export file: LCOnPrem.zip was created successfully. ****
The export tool may detect migration issues. In this case, no success message appears, but rather a list of the detected issues:
Import not possible
===================
These items cannot be imported to cloud.
- number of keys (algorithm IDEA): 5.
- number of keys (algorithm DES): 7.
Summary of detected issues
==========================
Checking database telemetry for cloud compatibility detected issues.
- Some data cannot be imported cloud.
- The remaining data can be imported to cloud.
Please review the reported issues carefully.
Run LCOnPremExport again with the switch '-r' to skip the compatibility check.
You can also perform the migration without resolving the listed issues. However, it is strongly recommended to carefully review the reported issues and to identify possible obstacles to your migration. With the -r switch, the export can be forced even when warnings are present and thus continued despite the identified issues:
LCOnPremExport.exe -s MSO -f LCOnPrem -r
Issues and their impact:
| Text | Impact |
|---|---|
| number of keys (algorithm XOR), number of keys (algorithm IDEA), number of keys (algorithm DES), number of keys (algorithm 3DES), number of keys (algorithm AES-128), number of keys (algorithm UNKNOWN) | LAN Crypt Cloud exclusively supports AES-256 keys. Keys with other algorithms are not migrated to LAN Crypt Cloud. Files that were encrypted with such keys cannot be read by clients. |
| number of rules (assigned to ADS OU groups) | Active Directory organizational units cannot be synchronized with Microsoft Entra. Assigned rules are migrated but are not assigned to any group in LAN Crypt Cloud. |
| number of users (without email assigned to ADS OU groups) | Active Directory organizational units cannot be synchronized with Microsoft Entra. User assignments to such groups are not migrated to LAN Crypt Cloud. |
| number of users (without email assigned to non ADS OU or ADS root groups) | For LAN Crypt Cloud, users must log in with their email address. User objects without an email address are not created in LAN Crypt Cloud. |
| number of users (without email assigned to ADS root groups) | Microsoft Entra does not have root groups. User assignments to Active Directory root groups are therefore not migrated to LAN Crypt Cloud. |
| number of groups (without distinguished name) | For migrated groups, the local DN name is set as the description in LAN Crypt. If no DN is available, the description of the migrated group also remains empty. |
| number of keys (without values and algorithm) | Previously unused OnPrem keys (without a value, as they have not been used in any profile) are not migrated. |
Import into LAN Crypt Cloud
To import the previously created export file, use the command-line tool LCCloudImport.exe.
For the tool to run successfully, the following prerequisites must be met:
- Access to the exported ZIP file (LCOnPrem.zip)
- An active internet connection
- Optional: If a key server has been configured within LAN Crypt Cloud Administration, it must also be reachable from the executing system.
Import of the migration data into LAN Crypt Cloud
LCCloudImport -i LCOnPrem.zip
Sequence of the process:
Step 1: The tool first prompts you to enter the password of the export ZIP file. Step 2: A web browser is then opened automatically to log in to LAN Crypt Cloud. Step 3: The relevant data is uploaded collectively to the Cloud Administration.
Note
- If a Utimaco ESKM has already been integrated, the keys are written to the key server in this step. Depending on the number of keys, this step can take more time (several thousand keys per hour).
Step 4: Only once all data has been transferred successfully do additional migration processes start automatically in the background.
Note
- To view the status of the migration, you can either check it directly in LAN Crypt Cloud Administration or alternatively query it via the command-line tool with the following command:
LCCloudImport --status
After the migration is completed or aborted, an audit log entry is automatically created in LAN Crypt Cloud Administration.
Additional options with the LCCloudImport command-line tool
As a rule, only the Import and Status options are needed. In addition, however, further functions are available, e.g. for deleting uploaded data or for manually restarting the migration.
Overview of the options:
LAN Crypt Cloud import tool 14.0.0.0
Imports LAN Crypt OnPrem migration data into LAN Crypt Cloud.
Import OnPrem export file:
LCCloudImport (-i | --import) exportfile [-v | --verbose] [-d | --dryrun]
exportfile: Path to LAN Crypt OnPrem export file
verbose: Show detailed information
dryrun: Simulation mode, data is not uploaded
Show import status:
LCCloudImport (-s | --status) [-v | --verbose]
Delete migration data:
LCCloudImport (-c | --clear) [-v | --verbose]
Start migration:
LCCloudImport (-x | --start) [-v | --verbose]
Show help:
LCCloudImport (-h | --help)
Updating settings
After the migration of users, groups, and encryption rules is complete, the configuration settings should finally be reviewed and aligned.
In LAN Crypt On-Premises Administration, the settings are configured via Group Policy Objects (GPOs) - either through the LAN Crypt Administration application or through the administrative ADMX templates. Many of these settings can now be configured directly in LAN Crypt Cloud Administration under Settings > File encryption. These additional settings are available exclusively to administrators who have migrated from LAN Crypt On-Premises Administration to LAN Crypt Cloud Administration.
If, after a successful migration, the configurations of LAN Crypt Cloud Administration and LAN Crypt On-Premises Administration differ from each other, the settings of the Cloud Administration take precedence. The differing configurations of the on-premises Administration are overwritten in this case.
A small number of rarely used GPO settings have no corresponding option in the LAN Crypt Cloud user interface. These settings can still be configured exclusively via GPO:
- Delay when loading the profile
- Excluded applications
- Default ‘Ignore rule’
- Excluded devices
- Excluded drives
- Antivirus software
- Trusted vendors
Note
- In the current versions of the LAN Crypt ADMX templates, the Supported On field displays the value LAN Crypt Cloud for all GPO settings that are relevant for LAN Crypt Cloud. All other LAN Crypt GPO options should be disabled and, if needed at all, configured instead in the LAN Crypt Cloud settings.
Overview of the objects and their handling during migration
This section describes how objects from u.trust LAN Crypt On-Premises Administration (OnPrem) are migrated to u.trust LAN Crypt Cloud. The following tables provide a structured overview of the mapping of the object types as well as the respective particularities during import.
User and Group Objects
| OnPrem Object | Cloud Object | Notes |
|---|---|---|
| Local user | Cloud user | Created anew during import. |
| Local group | Cloud group | Created anew during import. |
| AD user | Entra user | AD users from OnPrem are mapped to Entra users in the cloud. The Entra users must already be synchronized with the cloud before the migration (see Synchronization of User and Group Objects from Active Directory). AD users that cannot be mapped to an Entra user are ignored during import. |
| AD group | Entra group | AD groups from OnPrem are mapped to Entra groups in the cloud. The Entra groups must already be synchronized with the cloud before the migration (see Synchronization of User and Group Objects from Active Directory). AD groups that cannot be mapped to an Entra group are ignored during import. |
| AD organizational unit | (not migratable) | Unlike Active Directory, Entra ID does not have organizational units - it works exclusively with groups. A direct migration of AD organizational units is therefore not possible. Encryption rules that are assigned to an organizational unit in LAN Crypt On-Premises are indeed imported into the Cloud Administration and are available there as assets, but without the associated user or group assignments. These must be reassigned manually in the cloud management after the migration. |
Encryption Rules
| OnPrem Object | Cloud Object | Notes |
|---|---|---|
| Encryption rule | Asset | Created during import. The asset is assigned to the corresponding user or group. If the user or group is not available in the cloud, no assignment is made. If a comment text for the rule is present in OnPrem, it is used as the name of the asset. If no comment text is present, the storage path is used as the name. The name of the encryption key is taken over unchanged from the OnPrem Administration and is also displayed within the LAN Crypt clients. |
| Multiple rules for the same storage path | Multiple assets (one per rule) | Multiple encryption rules for the same storage path are migrated; for each rule, a separate asset is created. Subsequently creating new assets for the same storage path is not possible in LAN Crypt Cloud. Such assets can only arise through migration. |
| Key without an associated rule | Passive asset | For OnPrem keys without an associated encryption rule, passive assets are created in LAN Crypt Cloud. Assignments are made according to OnPrem, provided the corresponding users or groups can be mapped. The key name is used as the name of the passive asset. |
| Advanced settings (Bypass, Ignore, No-Plain-File-Access, subfolder exclusion) | Asset with “Advanced settings” section | LAN Crypt Cloud rules generally include all subfolders and only know three rule types: Public, Shared, and Private. OnPrem rules that affect only a single folder without subfolders, as well as rule types such as Ignore, Bypass, and No-Plain-File-Access, are nevertheless migrated. Affected assets show an “Advanced settings” section in the asset view with a description of the additional flags. For the LAN Crypt client software, these settings behave identically to the corresponding OnPrem settings. Subsequently creating rules with advanced settings is not possible in LAN Crypt Cloud. Such rules can only arise through migration. |
Keys
| OnPrem Object | Cloud Object | Notes |
|---|---|---|
| ESKM (key server) | - | If a tenant uses a key server (ESKM), a corresponding key is created in the ESKM for each key to be migrated; in LAN Crypt Cloud, only the encrypted key is stored. The ESKM processing is performed automatically by the LAN Crypt Cloud import tool. Creating the ESKM keys is time-consuming; depending on network and ESKM performance, several thousand keys per hour can be processed. |
| Encryption algorithms | not fully migrated | Only AES keys are migrated. Other key types are not available after the migration. |
| User key | User key | The user key is assigned to the corresponding user object in the cloud. Imported keys are treated as secondary keys for Entra user objects in the cloud and can only be used passively, i.e. only for decrypting existing files. Files that were encrypted via the cloud client with a user key (i.e. via a private asset) cannot be decrypted with an OnPrem client, not even by the same user. |
| Keys used multiple times | Multiple assets including associated key copies | Keys that are assigned to multiple rules in OnPrem are instantiated (duplicated) during import. For each rule to which the key is assigned, a separate asset with its own key copy is created. This copy retains the same KEK GUID and the same key value as the original key, but is managed internally as a standalone key. After the import is complete, each asset has its own key. Users with access to an asset with such a key therefore initially also have access to all other assets that contain a copy of the same key. Note: After the first key rotation, each key receives a new value; access to newly encrypted files is then restricted exclusively to the respective assigned asset. |
| Key without rule | Passive asset | For OnPrem keys without an assigned rule, passive assets are created in LAN Crypt Cloud: The assignments are made according to OnPrem for users/groups that can be mapped. The key name is used as the name of the created passive asset. |
Settings
| OnPrem Object | Cloud Object | Notes |
|---|---|---|
| Selected settings | Selected settings | The majority of the settings previously available in the on-premises environment are carried over in the course of the migration. Individual, rarely used settings are excluded from this and are not migrated. After the first data import, extended LAN Crypt Cloud settings are available to migrated tenants. This extended scope is accessible exclusively to administrators who have performed a migration from on-premises to cloud. Administrators who use LAN Crypt Cloud without a prior migration only have access to the standard scope of settings within the Cloud Administration. |
Technical support
Technical support for Utimaco products can be accessed as follows:
At support.Utimaco.com, maintenance contract customers can access additional information, such as knowledge items.
As a maintenance contract customer, send an email to technical support:
and specify the version number(s), operating system(s) and patch level of your Utimaco software and, if applicable, the exact wording of any error messages.
Legal notice
Copyright © 2024 - 2026 Utimaco IS GmbH, 2018 - 2024 conpal GmbH, 1996 - 2018 Sophos Limited and Sophos Group. All rights reserved. conpal®, AccessOn® and AuthomaticOn® are registered trademarks of conpal GmbH.
All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
This publication may not be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, unless you either have a valid license to reproduce the documentation in accordance with the license agreement, or you have received written permission from the copyright owner.
For 3rd party copyright information, refer to the 3rd party software document in your product directory.
Last updated 26.06.2026.