SafeGuard Item: 104111
Document version: 1.1 BELGIUM - Utimaco Safeware AG
SafeGuard Item for
“SafeGuard LAN Crypt 3.01”
The information in this article applies to:
• Windows 2000 Workstation SP2 or higher, Windows XP Workstation
• SafeGuard LAN Crypt 3.01
This document describes how to install and configure SafeGuard® LAN Crypt 3.01 on a stand-alone
PC with Windows XP. It can be used to build a demo workstation to show the functionalities of LAN
1 Installing SafeGuard® LAN Crypt
To install SafeGuard® LAN Crypt (SGLC):
• At installation, select “Custom”
• Select “Administration”, and be sure to select both components: “User Settings” and
SGI: 104111 -1- 1
After the installation, setup will ask to reboot your machine.
2 Preparation for the configuration
SGLC 3.0 works different than previous versions. Here are some of the major changes:
• SGLC now uses certificates, which either can come from a PKI, or can be generated by LAN
• The administration happens completely within the MMC. No keyfiles are used anymore,
although old keys can be imported.
• This also means that everything is configured through policies, although specific LAN Crypt
settings are kept in the administration database. This database does not have to be
accessible to the users; it only serves administration purposes.
From this we can derive some preparations. It means we’ll need a directory for the certificates, one for
the policies and one for the LAN Crypt database. Therefore, create the following directories:
• <foldername>admin and
where <foldername> is for example “d:lan crypt data”.
The “cert” folder will contain the p12 files made for the users as well as the LAN Crypt administrator
certificate, the “admin” folder will contain de administration database and the private key for the LAN
Crypt administrator, and the “policy” folder will contain the policy files for the users.
SGI: 104111 -2- 2
3.1 Configuration for the currently logged on user
This configuration can be used if you only want to configure SafeGuard® LAN Crypt for the currently
logged on user.
• Start MMC
• Add the snap-in “SafeGuard System Policy” to the console root
• When asked whether to use the local registry or a POL file, select the Local Registry option.
When you click “Finish” and then “Close”, an object will be added under the Console Root and
called “SafeGuard System Policy (Local Registry)”.
When expanding this object, you get the Local Computer and the Local User. Expand the Local
Computer to get “SafeGuard Templates” and “LAN Crypt Configuration”. Click on “SafeGuard
Templates” and LAN Crypt will ask for the LAN Crypt options. This options page is divided in different
tabs. Configure the tabs as follows:
(Note: it is not necessary to keep this order, but it has an advantage: the LAN Crypt administration
certificate will be created in the default directory C:Documents and SettingsAll
UsersDocumentsUtimacoAdmin. When changing the path for the certificates first, the certificate will
be stored in the “admin” directory created under the step “Directories”).
1. Change the location of the generated certificates and keyfiles (*.p12) to the directory created
under “Directories”, i.e. <foldername>cert
2. Change the location of the security officer certificate to the administration directory1:
The security officer private keys should be kept absolutely safe. Therefore it should not be published
to avoid brute force attacks.
SGI: 104111 -3- 3
1. Change the desired location of policy files to the policy directory, e.g. <foldername>policy.
2. Change the path for password logging of created certificates, for example to the certificates
administration directory <foldername>admin.
1. Browse for the administration directory defined in the “Directories” step, i.e.
<foldername>admin. Keep the proposed database name “SGLCADMDB.DB”.
2. Enter a recovery key for the database encryption. The key must be exactly 32 characters long.
If you want, you can save the key for backup reasons. (The “Save” button is only needed if
you want to make a backup of the key.) For details about the recovery key concept please
refer to the product manual.
3. Create a certificate for the LAN Crypt administration by clicking the browse button (“…”). This
will bring up a new window with an overview of existing certificates. This should be empty,
unless certificates have been imported first. Press the “New” button to create a LAN Crypt
Click OK to accept all changes. A message will appear that announces the fact that the database will
be created, and secured with the administration certificate. Click OK to accept. Then a message
appears to tell the certificate has been created.
4 LAN Crypt configuration – Client settings
First we need to define the location of the policy files for the users. Go to “SafeGuard System
Policy” ”Local Computer” ”LAN Crypt Configuration” ”Client Settings”. In the right-hand side
window change the following settings:
• Security Officer Certificate Client Location The directory of the LAN Crypt administrator
certificate, i.e. <foldername>cert
• Keyfile Client Location The directory where the user will search for his private key, i.e.
• Policyfile Client Location The directory where the user will search for his policy file, i.e.
SGI: 104111 -4- 4
Keep the Policy File Cache Directory as it is.
5 Defining Templates
Now we can define the templates for LAN Crypt. Go to “SafeGuard System Policy” ”Local
Computer” ”SafeGuard Templates”.
The first things to define are the keys. In a single-user configuration there will be only one key. To
create this key, click on “Keys” on the left-hand side, and at the right-hand side, right-click and select
“New” to create the key.
Use the “Random” button to create random keys. Another possibility is to import existing keys from an
old keyfile – in that case right-click on the right side of the window and click “Import key from keyfile”
HINT To delete a key, you first need to disable it (right-click on the key, select “Enable/Disable key”).
Then right-click again on the key and select “Delete” to delete it. Also note that only keys that are not
used in a rule can be deleted.
When selecting “Certificates” under “SafeGuard Templates”, the login name of the currently logged on
user is displayed (the list is retrieved from the place specified under the LAN Crypt options, tab “Users
and Groups”. Default on a stand-alone PC is the localhost. You can get to the LAN Crypt options by
right-clicking on “Keys”, “Certificates” or Encryption paths”, or clicking the “LAN Crypt options” button
on the toolbar. This button is only visible when “Keys”, “Certificates” or “Encryption paths” is selected).
To create a certificate for the user, double-click the username. A window containing the existing
certificates pops up. To create a new certificate for the selected user, click “New”. To assign that
certificate to the user, click “OK”. (Clicking “Cancel” will not delete the certificate; it will just not assign
the certificate to that user).
SGI: 104111 -5- 5
5.3 Encryption paths
Next we’ll define the encryption paths. Define all paths for all users. Later on the link between users,
keys and paths will be made.
This is done by selecting “Encryption paths” under the “SafeGuard Templates”. Right-click in the right
window and select “New path” to browse for a path.
6 Configuring the user
In the final configuration step the user will be linked to keys and paths.
Select the “Local User” under “SafeGuard System Policy”. Expand that user and select “Certificates for
Users”. If all is well you should see the certificate created before.
Next, select “Encryption Rules”. All the defined paths, including “Key without path” should be listed.
Double click the path you wish to configure for the user. In that window, select a key and the options.
• “Include subdirectories” means the key and encryption will also be valid for any subdirectory
of the defined encryption path.
• “Exclude path” means the path cannot be used for encryption, and
• “Ignore path” will result in a not working filter driver for that path. This means that no
transparent encryption/decryption will take place. So if an encrypted file would be present, it
will not be decrypted.
SGI: 104111 -6- 6
Finally, create the policy file for the local user. To create the policy file and store it in the defined
directory, select either “Encryption rules” or “Certificates for Users” under the Local User, and click the
“Build profiles for current user” button to create the profile only for the current user, or the “Build
profiles for all users” button on the toolbar. As there is only one user – the currently logged on user –
this will result in the same policy file being created.
Now close the MMC (you can store the console under an easy name, such as “LAN Crypt
7 Last steps
Check the content of the subdirectories of what’s under <foldername>. The “cert” folder should contain
the AdminCert.cer certificate, which is the certificate of the LAN Crypt administrator. This certificate will
be used to verify the signature of the policy file. It should also contain a p12 file with the private key of
the user, name <username>.p12.
The “admin” folder contains the database (“SGLCADMIN.DB”) and a log file, the p12 with private key
for the LAN Crypt administrator (“LCAdmin.p12”) and the log file of the passwords of all private keys
(“p12pwlog.csv”). This file can be opened with Excel or with Notepad.
Finally, the “policy” folder should contain the policy file for the user, named <username>.pol, as well as
a log file for this policy file.
8 Using LAN Crypt
To use LAN Crypt the user needs to open the policy file. This only happens at logon, so log off, then
log on again.
As there is no certificate available for the user yet, the LAN Crypt Profile Loader will warn the user.
The default directory containing the private key contains a p12 file for this user, so LAN Crypt will
propose to use that one.
SGI: 104111 -7- 7
Check the password file (<foldername>adminp12pwlog.csv) for the corresponding password/PIN
code for the private key, and enter that password in the dialog.
After clicking OK the red key in the system tray will change into a greed key, meaning you are now
logged on to LAN Crypt.
To check the rules right-click on the key icon in the system tray and select “Show Profile”. This will
show a window containing the rules for this user.
Note that two extra folders are added, the Windows directory and the program directory of LAN Crypt.
By default, no encryption/decryption will happen in those folders (the “Ignore” flag is set).
9 Private Key security
By default the security level of the imported private key is set to “Medium”. This means that the user
will not be prompted or notified when the private key is used, so the LAN Crypt logon will happen
There are two ways to set a higher security level when importing the private key:
SGI: 104111 -8- 8
1. Use the Microsoft Certificate Import Wizard. After successfully importing the private key, the
wizard will ask to set the appropriate security level.
Select “Set Security Level”, and then select “High”. Define a password to be asked every time
the private key is used.
Click “Finish” and then “OK”.
2. Configure the machine to always prompt for the security level when importing a private key
with the Utimaco Profile Loader. This can be done using Poledit and the administrative
template “c:program filesutimacoadmsguard.adm”. In Poledit open the registry, then the
Local Computer. In there, select “SafeGuard Universal Token Interface – General Options”
“Private Key Options” and put a check next to “Enable strong private key protection” and save
Alternatively, change the registry key value directly:
Universal Token Interface
SGI: 104111 -9- 9
Note that this does not affect already imported private keys. It will only play when a new
private key is imported.
10 Configuration for multiple users
When configuring multiple users on a stand-alone system, the registry System Policy can only be used
to define the machine settings. The individual users need to be configured using a policy file. Add a
new snap-in in the Console Root and select again “SafeGuard System Policy”. This time, browse for a
policy file. This policy file will not be read by the users and does not have to exist yet, so select
<foldername>adminlancrypt.pol as the name of the policy file.
You now have two items under the Console Root: “SafeGuard System Policy (Local Registry)” and
“SafeGuard System Policy (<foldername>adminlancrypt.pol)”.
Expand the one of the two items, the default computer or the default user (both named “.default”). LAN
Crypt will ask if a SafeGuard Template GPO should be created. Choose “Yes’.
Now a third item will appear under the SafeGuard System Policy, named SafeGuardTemplateGPO.
This TemplateGPO will also contain an item called “SafeGuard Templates”. It has the same templates
as defined in the previous sections. The difference is that under “Certificates” it will show all users
defined on the system.
Now you create certificates for those users as well, and also create the policy files for those users.
NOTE Both “SafeGuard Templates” objects are interchangeable, meaning that an item created in one
of them will also be reflected in the other. For example, if you create a new key or encryption rule in
the SafeGuard Template of the SafeGuardTemplateGPO, it will also appear under the Local Registry
version of that template.
Starting from Service Pack 3 for Windows 2000 there is a problem with the certificate import wizard.
When SP3 or SP4 is installed, do not double click the p12 file to import the private key, but use LAN
Crypt for importing the key instead. This will make sure the private key is loaded in the Microsoft
Enhanced CSP instead of the Microsoft Base CSP.
SGI: 104111 - 10 - 10
Additional information about the configuration:
SafeGuard Item: 103944
Title: Installation und Administration von SafeGuard LAN Crypt 3.0 in einer ActiveDirectory Umgebung
SafeGuard Item: 104238
Titel: Installation and Administration of SafeGuard LAN Crypt 3.0 in a ActiveDirectory environment
SafeGuard Item: 104237
Title: Installation und Administration von SafeGuard LAN Crypt 3.01 auf einem “stand alone” PC.
(German language translation of this document.)
SafeGuard Item: 104239
Title: Hinweise für die Migration von SG LAN Crypt 2.x auf 3.x
Utimaco Safeware AG provides this information and article as a service.
All such documents and related graphics are provided without warranty of any kind. Utimaco hereby
disclaims all warranties and conditions regarding this information.
Utimaco reserves the right to make improvements and/or changes in the product(s) described herein
at any time.
SafeGuard® is a registered trademark of Utimaco Safeware AG.
Microsoft®, Windows®, Windows NT®, Windows 2000® are registered trademarks of Microsoft
Novell Netware® is registered trademark of Novell
Tivoli® is registered trademark of IBM in the United States
NetInstall® is registered trademark of NetSupport GmbH
SGI: 104111 - 11 - 11