conpal LAN Crypt for macOS



What is conpal LAN Crypt for macOS?

With file encryption, conpal LAN Crypt enables the exchange of confidential data within authorization groups in small, medium, and large organizations. conpal LAN Crypt works without user interaction. It supports the role of a security officer (SO), who can restrict the access rights to files encrypted with conpal LAN Crypt. A master security officer (MSO) has the right to manage conpal LAN Crypt or to delegate authorizations. In this way, a hierarchy of security officers can be set up that can meet the security requirements in any company.

Encrypted files do not need to be assigned to individual users. Any user who has the required key can work with an encrypted file. This allows administrators to create logical user groups that can share access and work with encrypted files. This process can be compared to a kind of key ring as used in daily life. conpal LAN Crypt equips users and user groups with a key ring, whose individual keys can be used for different folders or files. Each time a user moves a file to an encrypted folder, the file is encrypted on that user’s computer. If another user in the same privilege group reads the file from the folder, it is transferred in encrypted form. The file is only decrypted on the recipient’s computer. The user can edit it there. Before the file is transferred back to the encrypted folder, it is encrypted again.

Unauthorized users may be able to access these encrypted files (only from workstations without conpal LAN Crypt), but without the corresponding conpal LAN Crypt authorization they will only see their encrypted content. This way the file always remains protected, even if no access protection is defined in the file system itself, the network is attacked, or the employees do not follow the security guidelines of the organization.

Data protection with conpal LAN Crypt for macOS

conpal LAN Crypt guarantees that sensitive files can be stored encrypted on file servers and workstations. Likewise, the transmission in networks (LAN or WAN) is protected, as the encryption and decryption are carried out in the main memory of the user’s workstation. On the workstations, all encryptions and decryptions are largely without user interaction. No special security software needs to be installed on the file server itself.

A security officer can define access authorizations for specific folders and files. Those permissions are summarized in encryption profiles which are stored in a so-called policy file, along with the encryption keys that have been assigned to a user. The policy file is encrypted with a user-specific key and signed by the security officer to protect against malicious modifications. On the endpoint, legitimate users can use decode the encryption profiles along with the assigned keys. Once loaded into the system, they have full access to data encrypted with conpal LAN Crypt. In the case of configuration with LAN Crypt Cloud as administration, the profiles are automatically downloaded and cached when the user logs in.

conpal LAN Crypt enables users to be divided into different authorization groups. All conpal LAN Crypt users sharing the same encryption profile in their policy file are members of an authorization group. Encryption keys necessary for accessing encrypted files are assigned automatically. Policy files must be deployed to the client for any updates to take effect. As soon as the policy file has been deployed to the client, files can be encrypted or decrypted as soon as they are opened or closed. All forms of organization can be mapped from a LAN model in which users are administered centrally to a distributed model in which users only use notebooks.

Differences between conpal LAN Crypt for Windows and conpal LAN Crypt for macOS

The following differences refer to the configuration with conpal LAN Crypt Admin as Administration and not to the configuration with LAN Crypt Cloud as Administration.

Configuration file substitutes group policy

All settings are made via the config.plist file, which must be created after installation (see Configuration).

A configuration file is necessary because the macOS client itself cannot use Windows group policies. The configuration file contains all necessary settings for the client, such as paths to policy files, certificates, and the user’s key file.

Encryption algorithms supported by conpal LAN Crypt for macOS

conpal LAN Crypt for macOS supports the following encryption algorithms:

  • AES-256 Bit (XTS-Modus)
  • AES-256 Bit (CBC-Modus)
  • AES-128 Bit (XTS-Modus)
  • AES-128 Bit (CBC-Modus)


  • Please note in this context that conpal LAN Crypt for Windows also supports other encryption algorithms (such as “IDEA” or “3DES”, etc.). conpal LAN Crypt for macOS accepts policies containing rules with unsupported encryption algorithms. But due to the lack of support, it simply drops such rules.

In case the (master) security officer has activated the “Key Wrapping” option (default setting), security officer data and user profile data are encrypted with a randomly generated session key using the selected algorithm (default: AES). This key is then in turn RSA-encrypted with the public key from the certificate.

conpal LAN Crypt for macOS supports the following encryption algorithms for Key Wrapping:

  • AES-256 Bit
  • 3DES


  • When using security tokens or smart cards, make sure the hardware and/or the middleware software supports the selected algorithm.


Access to encrypted data

To be able to read or write encrypted files, a user always needs the key required for this purpose. All keys and encryption rules are assigned to users by the Security Officer via their policy file.

If the user has the required key with which files are encrypted, he can always open them. This is especially true even if there is no encryption rule in the profile policy for an SMB share and for the directories and files there.


  • However, if an SMB share has an “Ignore rule”, a user will not be able to open encrypted files contained there, even if the user has the required key.

If a network share is covered by an encryption rule, quick access to the mounted folder is available in the conpal LAN Crypt for macOS menu bar item.

Explicit decryption of files

To decrypt a file, you only need to copy or move it to a folder without encryption rules. The file is then automatically decrypted.


  • A corresponding encryption profile is loaded

  • The user has the required key

  • The active encryption profile does not contain an encryption rule for the new location.

Files and folders excluded from encryption

The following files and folders are automatically excluded from encryption, even if an encryption rule has been defined for them:

  • Files on all local drives.

  • Files in folders which are defined in conpal LAN Crypt with an “exclude” or “ignore” rule.

Configuration with LAN Crypt Cloud as administration

Login and access with a Conpal account

To access his encryption profile, a user must first successfully complete the Registration of his Conpal account. Once the registration is completed, all policies and settings set by the security officer will be assigned to the user account. When the policy file is loaded for the first time, the user is prompted to log in to the LAN Crypt Cloud using their account details. Upon successful login, the assigned policies are automatically downloaded and stored in the client.

Configuration with conpal LAN Crypt Admin as administration

Create configuration file

All settings for conpal LAN Crypt for macOS are made via the configuration file config.plist, which must be created after installation. A template is supplied and installed in the directory:

/Library/conpal/LAN Crypt/

After editing the template, copy it to the location below:

~/Library/Application Support/de.conpal.lancrypt/config.plist

Mandatory settings in the configuration file

PolicyPath: Mount point to the policy file

In the <string> section, enter the path to a mounted network share or local location where the users’ policy files (.xml.bz2) are stored.







SOCertLocation: Mount point to the security officer’s public certificate

In the <string> section, enter the path to a mounted network share or local location where the security officer’s public certificates (.cer) are stored.







Optional settings

You can also configure optional settings in the configuration file. These settings are important if, for example, the user login name on macOS differs from the user’s name in the conpal LAN Crypt Administration.

UserName: Login name of the user

If the directory username and the local username do not match, UserName must be set to the name of the user in the conpal LAN Crypt Administration. Only if the login name and the policy file name are identical, the user can properly work with conpal LAN Crypt for macOS.

CertificatePath: Mount point to the key file (.p12) of the user

After specifying the mount point for the key file (.p12) of the user, conpal LAN Crypt for macOS automatically tries to import a .p12 key file into the user’s keyring if the private key of the policy file is not available.

This file must be named after the respective user-login:



  • If users are to be logged in with a security token or smart card, the whole (<key>CertificatePath</key>) entry must be omitted.

DisableCertificateValidation: Disable Certificate Validation

You can specify whether any errors found when checking user certificates are to be ignored.



This setting is useful if the validity period of a certificate has expired, and no new certificate is available yet. To ensure that a user can continue to access their encryption profile, the option allows to disable checking of the certificate’s validity period. Once the new certificates are available, this setting can be disabled again by changing the parameter for this setting to false.


  • Alternatively, trust settings can also be configured in Keychain Access. However, ignoring errors that occur during certificate checks always means a reduction in security.

AgentEnvironment: List of environment variables

When using a policy with keywords that should resolve to a specific value, an administrator can do so by specifying them in AgentEnvironment.



PolicyUpdateInterval: Policy Update-Interval

Time interval between checks for new policies (minutes). If a new policy is available, it will be automatically loaded and applied.



Reload configuration file

Changes to the configuration file require a restart of conpal LAN Crypt for macOS to take effect. To do so, open a terminal and execute below command or perform a logout and login.

launchctl unload /Library/LaunchAgents/de.conpal.lancrypt.useragent.plist && launchctl load /Library/LaunchAgents/de.conpal.lancrypt.useragent.plist


Before users can access their encryption profile, the corresponding certificate must be available on the Mac. The security officer distributes these certificates to the users along with the corresponding password or PIN to access them. A path where the conpal LAN Crypt Administration stores the user certificates as well as the public certificate (.cer) of the Security Officer must be configured. From this path, users then import their PKCS#12 key file (their certificate) onto their computer. If the certificates are available at the first logon, the entire process up to PIN entry runs automatically without any user interaction.


  • If the login to conpal LAN Crypt fails, errors will be logged to the system log. To filter for LAN Crypt, set the subsystem to de.conpal.lancrypt. Also enable the “Include Info Messages” and “Include Debug Messages” options in Console. Alternatively, you can also view this information live in Terminal using the following command: log stream --level debug --predicate 'subsystem == "de.conpal.lancrypt"

  • conpal LAN Crypt verifies the certificates of the user and the public certificate (.cer) from the (Master) Security Officer, who created the policy file. If the certificate contains a “CRL Distribution Point” and no valid CRL is present on the system, conpal LAN Crypt for macOS initially does not trust this certificate. In the user’s Keychain, the user can change the trust setting and then assign the setting “Always Trust” for this certificate.

The certificate is checked every time the encryption profile is loaded. If a valid certificate is found, the user is logged on to conpal LAN Crypt. If no valid certificate is found, the user is not able to work with encrypted data.

Encryption rules with their assigned keys from the conpal LAN Crypt encryption profiles give users access to encrypted data. These rules define exactly which files in particular directories have to be encrypted by each key. A user’s encryption profile only needs to be loaded and encryption and decryption takes place in the background.


  • In order for conpal LAN Crypt for macOS to import the certificates automatically, it is important that the file names of the certificates exported from the Admin Console are not changed.

Logon to conpal LAN Crypt

conpal LAN Crypt encryption profiles are created by a security officer, in accordance with the company’s security policy, and then stored in policy files. An encryption profile can only be loaded if the user owns the corresponding certificate.

The policy files are stored in a path defined for this purpose (network share). For conpal LAN Crypt for macOS to find the policy file, the location must be defined in the configuration file. This also applies to the path where the public certificate of the security officer can be found.

When a user logs in to conpal LAN Crypt, the encryption profile stored in the policy file is loaded by conpal LAN Crypt for macOS. If the user holds the proper key, the profile is decrypted end the encryption rules are applied.

Logon with token

Users can also log on to conpal LAN Crypt for macOS using a token. A prerequisite for this logon method is that the user’s conpal LAN Crypt user certificate is stored on the token. If the user certifi-cate is found on a token connected to the system, the user is logged on.


  • If users are to be logged in with a security token or smart card, you may not enter a mount point to the user’s key file (.p12) in the configuration file.

Loading the policy file

conpal LAN Crypt default behavior

When a user logs in, their cached user profile is loaded first. conpal LAN Crypt for macOS automatically searches for new policy files for the user if the configured policy path or, if used, the LAN Crypt Cloud is accessible. When a new policy file is found, the cached policy is updated.

The user can start working with encrypted files while conpal LAN Crypt continually checks for new versions of the policy. If the specified policy location is not accessible, the cached profile is used.

In the case of using Configuration with LAN Crypt Cloud as administratio, the cached profile is used until the update interval expires. This means that the time limit set in the LAN Crypt Cloud is used for how long a cached profile is valid before the policies need to be updated.

Client Status-Information

conpal LAN Crypt for macOS provides detailed information about its state. Available information is divided into individual tabs as follows:


Shows general information about the program status. In addition to information about the active user, the lifetime and update interval of the loaded policy are also displayed.


This tab lists all active encryption rules.


This tab list all keys available to the user.


This tab shows information about the program version. The instruction manual can also be opened on this page.

Encryption for cloud storage services and network shares.

To add a cloud storage or network share for encryption, click the conpal LAN Crypt icon in the status bar.

Select the type of storage you want to add (cloud or network). OneDrive and Google Drive are supported for cloud connectivity. After adding your desired storage, a corresponding entry/location will be created in the Finder sidebar, collecting all added file shares.

To remove a network storage, click the status bar icon of conpal LAN Crypt again and select the eject icon next to the respective network share.

The option to remove a cloud storage connection is located in the settings of conpal LAN Crypt for macOS in the Accounts section.


When browsing the respective folder structure in the Finder, the system creates dataless files for each item found on the user’s drive. These dataless files do not occupy space on the device and are downloaded only when the user actively opens a file or uses Download Now in the context menu. Downloaded files and modified files that have been successfully synced back to OneDrive/Google Drive can also be removed from the device to free up storage space. This action is also available in the context menu.

To share a file or folder with others, the Show Online option in the context menu takes the user to the file or folder in the online view of the respective cloud storage service using the default browser. The user can now use the familiar Share functionality here, for example.


  • There is no keyword for OneDrive or Google Drive in the conpal LAN Crypt administration. Only relative rules are supported.

  • Files that are subject to an encryption rule are encrypted when their content is uploaded to the cloud.

  • When the content of encrypted files is downloaded, it is decrypted if the corresponding encryption key is available.

  • Every file in OneDrive/Google Drive has a version history. Uploading an encrypted version of a file does not remove its history. It is therefore possible to restore an unencrypted version.

  • The supported cloud storage services and conpal LAN Crypt for macOS can work in parallel without any problems. conpal LAN Crypt for macOS can be used as a replacement for the clients of OneDrive and Google Drive.

  • Encryption functions are only available when folders are accessed via the conpal LAN Crypt location.

Enable Quick Action extension

conpal LAN Crypt for macOS comes with a Quick Action extension for quickly viewing file-specific encryption information. For this to work, however, you must first enable the extension within the System Preferences.

To do this, simply follow these steps:

  1. Open the System Preferences.

  2. Now click on Extensions.

  3. Now select the Finder tab on the left and activate the Quick Action extension Encryption Information.

To view the encryption information of a file, you can now right-click on it and access it via Quick Actions. If files are not subject to any rule and the key is available, they can also be decrypted directly via the encryption information dialog.


Installing conpal LAN Crypt for macOS

conpal LAN Crypt for macOS supports the following versions of macOS:

  • macOS 14 Sonoma
  • macOS 13 Ventura

Open the file conpal LAN Crypt.pkg and follow the specified installation steps. Apart from that, there are no further settings to be made in the operating system settings.

Uninstalling conpal LAN Crypt for macOS

Open Uninstaller.pkg from the path below and proceed through the dialogs.

/Library/conpal/LAN Crypt/Uninstaller.pkg


  • FileVault must be activated to use conpal LAN Crypt for macOS

  • After uninstalling conpal LAN Crypt for macOS, encrypted files can no longer be decrypted. Uninstalling conpal LAN Crypt for macOS does not decrypt files.

Using “Icutil”

In addition to the program components, a console application ‘lcutil’ is installed. This tool can be useful when solving technical problems. It is installed in the following directory:

/Library/conpal/LAN Crypt/

This provides users advanced functions of conpal LAN Crypt for macOS, which are described below.

To print the version information of conpal LAN Crypt for macOS, the user must open the terminal and execute the following command:

/Library/conpal/LAN\ Crypt/ version

Collect logs

You can export all conpal LAN Crypt for macOS logs to a file (.xz). Certain events can be recorded, evaluated, archived, and checked at any time in this way.

To export all conpal LAN Crypt for macOS logs in a file, the user must open the terminal and executing the following command:

/Library/conpal/LAN\ Crypt/ collect-logs

The following events are collected in the log file:

  • System log
  • Mount table
  • Process table
  • Version information
  • System profiler
  • Cached policies
  • Config.plist
  • Crashdumps
  • Information about configured cloud provider accounts

Technical support

To access technical support for conpal products do the following:

All maintenance contract customers can access further information and/or knowledge base items at the following link As a maintenance contract customer, send an email to technical support using the email address and let us know the exact version number, operating system and patch level of your conpal software and, if applicable, a detailed description of any error messages you receive or applicable knowledge base items.

Copyright © 2018 - 2023 conpal GmbH, 1996 - 2018 Sophos Limited and Sophos Group. All rights reserved. conpal®, AccessOn® and AuthomaticOn® are registered trademarks of conpal GmbH.

All other product and company names mentioned are trademarks or registered trademarks of their respective owners.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid license where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

You find copyright information on third party suppliers in the 3rd Party Software document in your product directory.

Last updated 16.10.2023