Utimaco u.trust LAN Crypt for iOS / iPadOS - Help

Utimaco u.trust LAN Crypt for iOS / iPadOS enables users to work with their encrypted data remotely, by using their mobile devices, such as smartphones or tablets.

With transparent file encryption on Windows / macOS, Utimaco u.trust LAN Crypt enables the secure exchange of confidential data within authorization groups in small, medium and large organizations. Numerous companies, business organizations and the public administration in Germany and worldwide are already relying on Utimaco u.trust LAN Crypt.

A Security Officer (SO) determines centrally, which files and storage locations should be protected by Utimaco u.trust LAN Crypt and defines which users are allowed to have access to specific data by setting one, or several encryption rules. As an example, the Security Officer (SO) can ensure that all Word documents in a specific file storage path are encrypted, by creating an encryption rule on the defined path, e.g. "\\Servername\Files\*.docx". As soon as this rule is transferred to the client computer via a policy file, created with the Utimaco u.trust LAN Crypt Administration console, all Word documents in this path will be encrypted from now on. Additionally, you can combine one or more encryption rules to one encryption profile.

This applies to all files, independently of where the files are stored. You can access all Utimaco u.trust LAN Crypt encrypted files that are either stored locally, on a network storage or on a remote storage (e.g. cloud storage). A user can easily access the same Utimaco u.trust LAN Crypt encrypted files, that are also available on his workstation computer.

Utimaco u.trust LAN Crypt for iOS / iPadOS enables users to use their mobile devices, such as iPhone or iPad, to work with their encrypted data.

This release of Utimaco u.trust LAN Crypt for iOS / iPadOS allows the user to open, edit and save encrypted files and access them per se and moreover extends the usual Utimaco u.trust LAN Crypt security infrastructure by using certificates (.p12 files) and policy files (.xml.bz2) on mobile devices.

Utimaco u.trust LAN Crypt for iOS / iPadOS supports iOS 14 / iPadOS 14 and newer versions.

Utimaco u.trust LAN Crypt for iOS / iPadOS is available in German and English.

Supported encryption algorithms for file encryption

Utimaco u.trust LAN Crypt for iOS / iPadOS supports the following encryption algorithms:

• AES-256 Bit (XTS-Mode)
• AES-256 Bit (CBC-Mode)
• AES-128 Bit (XTS-Mode)
• AES-128 Bit (CBC-Mode)

Supported encryption algorithms for key wrapping

Utimaco u.trust LAN Crypt for iOS / iPadOS supports the following encryption algorithms for key wrapping:

• AES-256
• AES-192
• AES-128
• Supported, but not recommended: 3DES, 3DES TWO KEY, DES, RC4

Note: With key wrapping (default setting), the transport key of the Security Officer data and the user profile data will be encrypted with a randomly generated session key, using the selected algorithm (AES is used by default). This key, on the other hand, is then RSA-encrypted using the public key from the certificate.

Note: Please note that in comparison to Utimaco u.trust LAN Crypt for Windows, the algorithm "RC2" is not supported by Utimaco u.trust LAN Crypt for iOS / iPadOS. If the key wrapping for your policy file is set to this algorithm, the policy file cannot be used with Utimaco u.trust LAN Crypt for iOS / iPadOS. In that case, you have to change the key wrapping encryption algorithm and choose an algorithm that is supported. (e.g., AES-128).

Note: If you are using a security token, please make sure that the middleware you are using also supports the selected key wrapping encryption algorithm. You might need to update the middleware, if you are using a security token.

For security reasons, the Utimaco u.trust LAN Crypt app requires a passcode to be set for the device. When the app becomes active, it checks for the presence of a device passcode and if it finds that the device is not protected, it blocks usage until a device passcode has been set. Never use an easy-to-guess passcode, such as "1234" or "000000". Only with a secure passcode you can prevent unauthorized access to your confidential data, in case your device is lost or stolen. In general, Utimaco recommends to erase the policy file and certifikate on your Apple device, if the device is not in use for a longer period of time, or if you exchange your device for a new one (see Deleting policy file and Deleting user certificate).

Note: When the device passcode is turned off, the user certificate password is removed and must be re-entered after the device passcode is turned on again.

After leaving the Utimaco u.trust LAN Crypt for iOS / iPadOS welcome screen, you will be prompted to provide the configuration data:

• Import your policy file
• Import your user certificate
• Select default encryption key

Note: If SMB shares are used to distribute configuration files, the settings view shows an additional Network section. This allows to clear or enter the SMB credentials. When deleting the SMB credentials, downloaded configuration files are deleted as well.

Policies

What are Utimaco u.trust LAN Crypt policy files?

A Security Officer (SO) centrally defines via the Administration of Utimaco u.trust LAN Crypt which files and storage locations are to be protected by Utimaco u.trust LAN Crypt with encryption and also which users have access to which of these data. For this purpose, the Security Officer creates one or more encryption rules for the user. Each individual encryption rule consists of an encryption path, a key and an encryption algorithm. Utimaco u.trust LAN Crypt policy files contain all encryption rules, that the user requires, in order to be able to work with encrypted data. For the user to be able to use the policy file, he/she needs a certificate, which will be provided to him/her as a key file (.p12 file) by the Utimaco u.trust LAN Crypt Security Officer. The key file contains the certificate and the private key of the user. The access to the key file is secured by a password. The user will receive the password through his Security Officer.

Before importing the policy file and the key file to the mobile device, the files have to be copied to a location that is accessible via the mobile device. This can be a private folder in OneDrive, iCloud or on a network share. Alternatively, you can copy the key file directly into the storage of the mobile device, by connecting it to the PC via USB or WLAN. For the direct connection between two Apple devices, you also have another option with AirDrop. AirDrop supports Wi-Fi as well as Bluetooth.

Open the app Utimaco u.trust LAN Crypt for iOS / iPadOS on your mobile device. Then tap on the user icon in the u.trust LAN Crypt history (file browser) in the app in the upper right corner to open the settings view. There, tap on the selection Policy file and then choose the storage location in which the policy file is located. Then tap the policy file. The policy file will be imported into your mobile device.

Open the app Utimaco u.trust LAN Crypt for iOS / iPadOS on your mobile device. Then tap on the user icon in the u.trust LAN Crypt history (file browser) in the app in the upper right corner to open the settings view. There, tap on the selection User certificate and choose the location that contains the key file (.p12). Tap the certificate file (.p12). The file will appear in your file browser. In the following dialog, enter the password that you received from the Security Officer for your certificate / key file and confirm your entry by tapping OK. If you entered the correct password, the certificate and the corresponding personal key will be imported into the Utimaco u.trust LAN Crypt for iOS / iPadOS app.

Note: Utimaco u.trust LAN Crypt for iOS / iPadOS also supports referencing multiple user certificates in the policy file. In order to be able to use the policy file, the user must have at least one of the certificates that have been issued to him and whose public key is used to encrypt the policy file, and of course he must also have imported it.

Select the default encryption key

Open the app Utimaco u.trust LAN Crypt for iOS / iPadOS on your mobile device. Then tap on the user icon in the u.trust LAN Crypt history (file browser) in the app in the upper right corner to open the settings view. There, tap on the selection Default key. All encryption keys available to you are listed. There, tap on the key that you want to use as the default encryption key. When you encrypt new files, those files are then encrypted with this key.

When using mobile device management (MDM), the default encryption key can be defined as a managed setting:

• Name of the setting is default_key_guid and must be set to the GUID of the key to be used for encryption.
• When managed, the user can not change the default key in the settings.
• If the managed encryption key is not part of the user keyring, the GUID is shown in the settings and attempts to encrypt files fail with an error.

Note: You can change the default encryption key at any time. New files that you want to encrypt will always be encrypted with the selected default encryption key. If a default key is set, it can also be unselected by selecting None in the list of keys.

In addition to the app, you can use a Mobile Device Management (MDM) solution to deploy the individual configuration (policy file and certificate) for the users' mobile devices in addition to the app itself. If you don't have a Mobile Device Management (MDM) solution at your disposal, the configuration data (policy file and certificate) must be imported by each user manually, as described above.

Settings:

Configuration data is a list of key+string tuples. Files must be provided as Base64-encoded strings, via URL, hosted on a HTTPS or SMB server. The following configuration keys are offered by Utimaco u.trust LAN Crypt:

Keys for Policy
policy_blob: Policy XML or XML.bz2 file as Base64-encoded string.
policy_url: URL to a policy XML or XML.bz2 file.

Keys for User Certificate / P12 file
usercert_blob: Certificate PKCS-12 file as Base64-encoded string.
usercert_url: URL to a certificate PKCS-12 file.

Keys for Security Officer Certificate
admcert_blob: Security Officer Certificate (.cer) file (DER encoded) as Base64-encoded string.
admcert_url: URL to a Security Officer Certificate (.cer) file (DER encoded).

Default Key
default_key_guid: GUID of the key that should be used for encryption of new files. If this is not set, the default encryption key can be selected by the user.

Key for Samba Credentials
smb_username: If one of the policy or user cert settings refers to a SMB location, the user name for the SMB connection can be configured with this key. If the value is not set, the user is asked to enter the user name. The password for the SMB connection has always to be entered by the user, for security reasons there is no management setting for that.

Key for Certificate Validation
cert_validation: Enables the certificate validation. Validation is disabled if setting is missing.

Rules:

• Managed settings cannot be changed or overruled by the user.
• URLs must be hosted on HTTPS servers with a valid SSL certificate. You can verify this by entering the URL in a browser on the mobile device (e.g. Chrome, Safari). If the file can be shown, the URL will also work as configuration value.
• If both BLOB and URL are supported for a setting, the BLOB has priority.
• If the data BLOB or URL of a setting is invalid, an error is shown.
• When using URLs for SMB shares, username and passwords will be ignored (use smb_username instead)(smb://localfileserver/certificates/sepp.p12)
  format: smb://<host>/<share>/<folders>/<filename>
• There are no documented maximum lengths for configuration strings but size of the strings should not be bigger than a few kilobyte.

WARNING - Intune and Base64-encoding of strings for iOS configuration data: When using Microsoft Intune and providing Base64-encoded strings: use XML configuration file format, as strings otherwise are cut by Intune without warning and incomplete data will be pushed to the device.

Open the Utimaco u.trust LAN Crypt for iOS / iPadOS app on your iPhone or iPad. Within the Utimaco u.trust LAN Crypt for iOS / iPadOS app, tap the user icon in the right top corner of the u.trust LAN Crypt Recents screen (file browser), to open the settings. On the right side, next to the policy file tap the Trash icon. Then tap Delete, if you really want to delete your policy file. Tap Cancel, if you do not want to continue deleting your policy file.

Open the Utimaco u.trust LAN Crypt for iOS / iPadOS app on your iPhone or iPad. Within the Utimaco u.trust LAN Crypt for iOS / iPadOS app, tap the user icon in the right top corner of the u.trust LAN Crypt Recents screen (file browser), to open the settings. On the right side, next to the user certificate, tap the Trash icon. Then tap Delete, if you really want to delete your user certificate. Tap Cancel, if you do not want to continue deleting your certificate.

Utimaco u.trust LAN Crypt for iOS / iPadOS provides access to files that are stored locally on the mobile device, or on remote storage systems. The access to remote storage systems (e.g., on OneDrive or Google Drive), via the file browser, is protected by iOS sandbox security. The iOS sandbox security provides protected remote access, over file browsers, that are provided by apps installed on the Apple's device. Thus, a user can, for example, use the Utimaco u.trust LAN Crypt for iOS / iPadOS app to access data stored on OneDrive, provided that the OneDrive app is installed on your device. The access to Google Drive happens in a similar manner, as long as the associated app is installed on the mobile device.

How to access encrypted data?

There are various ways how you can access files using your iPhone or iPad. This can be done within the Utimaco u.trust LAN Crypt for iOS / iPadOS app via the file browser or from there via a proprietary app for cloud storage (such as OneDrive). The first release of Utimaco u.trust LAN Crypt for iOS / iPadOS could only read encrypted files that are accessed by the users. With this version of Utimaco u.trust LAN Crypt for iOS / iPadOS you can also encrypt files. Users can use their preferred apps to modify files, e.g. Microsoft Office can be used to edit documents, presentations, and spreadsheets. The document preview has a button Edit that can be used to forward a file to a third party app.

You can display the encryption information of a file as follows:

in the Utimaco u.trust LAN Crypt for iOS / iPadOS app, long-press a file. The context menu appears, including an option Encryption info.

Note: This option is only available if Utimaco u.trust LAN Crypt for iOS / iPadOS is ready to be used, i.e. a policy file is loaded.

Selecting the Encryption info option opens a view displaying file information including encryption information. A badge icon in the right top corner of the thumbnail indicates if a file can be opened:

• green checkmark: The file is encrypted and can be accessed.
• gray checkmark: The file is plain and can be accessed.
• red x-mark: The file is encrypted and can not be accessed (the key is not available or the used encryption algorithm is not supported on mobile).

The file name, type and size are shown below the thumbnail.

The Information section shows detailed information:

• Encryption state: Indicating if the file is encrypted or not.
• Key: The name of the key used for encryption (only shown for encrypted files).
• Key Id: The GUID of the key used for encryption (only shown for encrypted files).
• Key available: Indicating if the key is available in the policy (only shown for encrypted files).
• Supported on mobile: Indicating if the used encryption algorithm is supported on the device (only shown for encrypted files where the algorithm is not supported).

To open an encrypted file, use the Utimaco u.trust LAN Crypt app, browse to the location that contains the encrypted file and tap the file to open it. This file is then opened and decrypted directly via the integrated viewer of the Utimaco u.trust LAN Crypt app on your iPhone or iPad. For this purpose, Utimaco u.trust LAN Crypt for iOS / iPadOS uses Apple's QuickLook framework. All files always remain in the secure sandbox of the Utimaco u.trust LAN Crypt app when displayed and are therefore always optimally protected. On the storage location itself, however, this file remains encrypted. All encryption and decryption processes only occur on the mobile Apple device itself.

Note: The QuickLook framework for iOS has limited editing support for certain file types:
PDF and image files: Mark-up support. Tap the pen-tip icon in the navigation bar when viewing the file.
Video files: Rotation and Trimming support. Tap the rotate or trim button in the navigation bar when viewing the file.
Tapping the Done button saves the changes back to the original file.

Edit files with Third-Party Apps

1. Tap the Edit button in the document preview.
2. Document preview is closed and the iOS share screen comes up. Select your application of choice.
3. The third party app comes up and presents the document. Work with the app as usual.
4. When the third party app writes the changes, Utimaco u.trust LAN Crypt for iOS / iPadOS makes sure that the changes are written to the original location, e.g. being uploaded to a cloud storage provider.

Utimaco u.trust LAN Crypt for iOS / iPadOS has a Verbose Logging feature. The usage of this feature is only intended for error analysis and should only be enabled if you encounter any errors or issues with the Utimaco u.trust LAN Crypt for iOS / iPadOS app.

Verbose Logging

Open the Utimaco u.trust LAN Crypt for iOS / iPadOS app on your iPhone oder iPad. Within the Utimaco u.trust LAN Crypt for IOS / iPadOS app, tap the user icon in the right top corner of the u.trust LAN Crypt Recents screen (file browser), to open the settings. Move the slider to the right to enable the Verbose Logging feature. The Verbose Logging feature ist enabled once the area around the slider button ist colored green. Take the necessary steps to reproduce the error, to create the log files.

Note: In no case will the log files reveal sensitive information!

Send Logs

By using the Send Logs feature, you can send the log files, for analysis purposes, to the Utimaco support team by e-mail. To send the log files, tap the "Share icon", that appears to the right of Send Logs. Then select the app you use for your email communication. The log file will be attached as a compressed file (.zip) and sent to the team at support@Utimaco.de.

To disable the Verbose Logging feature, move the slide button back to the left. When the Verbose Logging feature is disabled, the area around the slider button is gray.

To access technical support for Utimaco products do the following:

All maintenance contract customers can access further information and/or knowledge base items at the following link https://support.hsm.utimaco.com/home.

As a maintenance contract customer, send an email to technical support using the support@Utimaco.de email address and let us know the exact version number, operating system and patch level of your Utimaco software and, if applicable, a detailed description of any error messages you receive or applicable knowledge base items.