SafeGuard LAN Crypt: Frequently asked questions about certificates and keys (FAQs)

  • Article ID: 112305
  • Rating:
  • 1 customers rated this article 2.0 out of 6
  • Updated: 09 Oct 2015

For more detailed information about the requirements and use of certificates refer to the SafeGuard LAN Crypt Administration User Manual.

Why does the SafeGuard LAN Crypt user need to be owner of a valid certificate (private key)?

The encryption profile was encrypted with the “public key” of a defined user. Therefore the user profile can only be decrypted by the “private key” of that same user. To decrypt the encryption profile, the certificate is checked each time the encryption profile is loaded. If a valid certificate is found, the user is logged on to SafeGuard LAN Crypt. If no valid certificate is found, the user is not able to work with the encrypted data.

Special encryption rules included in the SafeGuard LAN Crypt encryption profiles give the users access to encrypted data. They define exactly which files in particular directories have to be encrypted by each key. The encryption profile of a user only needs to be loaded for encryption and decryption takes place in the background (transparently). The user will not be aware of the encryption/decryption tasks being performed. Note: The certificate is not used for encrypting/decrypting the files and folders

Why does the SafeGuard LAN Crypt user need to be in possession of the public key of the SafeGuard LAN Crypt Administrator certificate?

The encryption rules in the encryption profile are cryptographically signed with the private key of a SafeGuard LAN Crypt security officer. For verification of this signature the SO certificate (containing the public key) is required.This guarantees that the encryption rules cannot be modified, because the signature does not match.

How is the key used when accessing encrypted data?

If the user does not have the required key for that particular file in his encryption policy, he is then not permitted to access the encrypted data. The user is not able to read, copy, move, rename, or in any other way interact with the encrypted file. If the user owns the key used to encrypt the file, the user is able to access it, even if there is no encryption rule in the user’s encryption profile for this file (resp. an encryption rule)

Which certificates can be used and where do they come from?

SafeGuard LAN Crypt uses certificates and public/private key pairs to secure encryption information stored in the encryption policy files. Only the owner of the certificates is able to access the private key belonging to the certificate and use it for accessing the encryption information.

A company either has its own Public Key Infrastructure (PKI) or uses a Trust Center to create certificates for the users, in which case, existing certificates can be used.
Optionally, the SafeGuard LAN Crypt Administration component can generate self-signed certificates. These self-signed certificates can only be used by SafeGuard LAN Crypt. These are simple certificates (comparable to Class-1 certificates) which comply with the X.509 standard. The certificates are assigned to the users within the SafeGuard Administration component. NOTE: It is not possible to use the Microsoft Standard CSP (Microsoft Base CSP)

In SafeGuard LAN Crypt you can specify whether any errors found when checking user certificates are to be ignored. This procedure is useful if the validity period of a certificate has expired and a new certificate is not yet available. To ensure that a user can continue to access their encryption profile, you can ignore the period of validity check until a new certificate is issued. This allows you to continue to use the certificate which has expired. Once a new certificate is available, you should cancel Ignore during Certificate Verification.
NOTE: Ignoring errors that occur during certificate checks always means a reduction in security. To ensure that this setting is not misused when you make server settings, this node is also displayed in Server Settings.

Why does a SafeGuard LAN Crypt Client need access to the Security Officer (MSO/SO) certificate? Which SO certificates are needed?

The encryption rules (policy files) are signed by the specific SO who started the profile encryption. To verify the signature, the client needs the public key of that specific SO and therefore needs the SO certificate.

Can you use certificates from a Novell Netware PKI within the SafeGuard LAN Crypt Administration?

Yes, you can use certificates from a Novell Netware PKI within the SafeGuard LAN Crypt Administration. The KeyUsage value of the certificate must be "KeyEncryption" and/or "DataEncryption" and the certificate may not contain any unknown critical extensions.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent