Frequently Asked Questions

How can I encrypt my online storage with HiCrypt™ 2.0?

HiCrypt ™ 2.0 requires a network drive for encryption. Many providers offer the option of connecting the online storage as a network drive. But the following things must be observed.

1) The network drive must be connected directly to the online storage.
Some providers provide their own software solutions to synchronize the online storage with a local folder. Even if HiCrypt offers the option of encrypting network drives that are connected to local shares, it is stronlgy not recommended with current operating systems. Unfortunately, the operating system may access the local folder directly instead of accessing the files via the network drive. With this local access, the files are neither encrypted nor decrypted. The online storage must therefore be connected directly as a network drive so that the encryption with HiCrypt ™ 2.0 works reliably.

In the following, we present three providers as examples and provide assistance in setting up their online storage.

1a) Microsoft OneDrive/Sharepoint
There are several steps involved in setting up a network drive to Microsoft’s online storage. In addition to the network drive connection, you must log in to Microsoft 365 and configure the connection as a trusted site in the Internet options. These steps can be automated with a freely available Powershell script (OnedriveMapper). OnedriveMapper is also available for enterprise use as IAM Cloud Drive Mapper (including support). Both variants are available for download under the following links.

OnedriveMapper: https://www.lieben.nu/liebensraum/onedrivemapper/
IAM Cloud Drive Mapper: https://www.lieben.nu/liebensraum/onedrivemapper/onedrivemapper-cloud/

1b) MagentaCLOUD
To set up the MagentaCLOUD as a network drive, please follow the instructions in the Telekom FAQ.

Telekom FAQ: https://cloud.telekom-dienste.de/hilfe/einrichten/netzlaufwerk-windows

1c) Strato HiDrive
Strato offers several protocols for setting up a network drive for the HiDrive (e.g. WebDAV and CIFS/SMB). Use the protocol that is best for your use case.

Strato FAQ: https://www.strato-hosting.co.uk/faq/online-storage-hidrive/what-are-the-paths-for-sftp-smb-webdav-rsync-etc/

2) The network drive must be empty before it can be encrypted with HiCrypt ™ 2.0.
Most online storages already contain data that may not be deleted under certain circumstances. In order to still be able to encrypt the online storage with HiCrypt ™ 2.0, simply create a new folder (eg “safe”) in it and connect the network drive to this folder. Enter the same path as before as the connection destination for the network drive to be encrypted, followed by a backslash and the name of the newly created folder.

Here is a simple before and after example for Strato:

Before: \\smb3.hidrive.strato.com\root
After: \\smb3.hidrive.strato.com\root\safe

This new network drive is empty and can now be encrypted with HiCrypt ™ 2.0 without any problems. Please note that access to the encrypted files only works correctly if you connect the network drive directly to the “safe” folder.

Which algorithm should I select to encrypt my data?

HiCrypt™ 2.0 supports the following encryption algorithms. These algorithms differ in their internal specifics but they are all suitable for data encryption with HiCrypt™ 2.0.

  • AES
  • Blowfish
  • IDEA

As default selection HiCrypt™ 2.0 uses AES for encrypting data on network drives because this is the first algorithm in alphabetic order. Use this preselection if you have no special requirements on the used encryption algorithm. If you do have special requirements for selecting an encryption algorithm please refer to the well known specifics of each algorithm to decide what algorithm should be used.

Specific information about the encryption algorithms used by HiCrypt™ 2.0 are offered on their wikipedia pages at AES, Blowfish and IDEA.

How can I install HiCrypt™ 2.0 on many computers at the same time?

As we have already described in the technical details of HiCrypt™ 2.0 the installation of HiCrypt™ 2.0 has to be recorded first. Please use the following command line to start the setup in RECORD mode.

HiCrypt.exe -r -f1″C:\Temp\HiCrypt_install.iss”

With this command line the protocol file C:\Temp\HiCrypt_install.iss is created which is required for an automatic installation. Please note that there is NO space between the parameter -f1 and the path.

The automatic installation in the SILENT mode will be done with the following parameters.

HiCrypt.exe -s -f1″C:\Temp\HiCrypt_install.iss”

You have to customize the name of the protocol file and the path.

This way of installation can also be used for uninstalling the software. If required the command line for SILENT execution can be completed with an optional parameter for creating the log file at a user-defined path. The command line would be the following.

HiCrypt.exe -s -f1″C:\Temp\HiCrypt_uninstall.iss” -f2″C:\Temp\HiCrypt_uninstall.log”

Please note again that there is NO space between the parameter -f2 and the path.

Notes:

  • For the installation of HiCrypt™ 2.0 you need to have administrative privileges. This also applies for recording in RECORD mode as well as for the automatic installation in SILENT mode.
  • During the installation in SILENT mode no dialog boxes will be displayed. All required user input will be done automatically by the protocol file in which all required information has been saved during the installation in RECORD mode. In case you have recorded the required restart to finish the installation all computers will be rebooted automatically without any further notice so that all unsaved data could be lost.

Can I encrypt file names with HiCrypt™ 2.0?

No. HiCrypt™ 2.0 does not encrypt file names.

The advantage of that is the comfortable recovery of single files from backup archives. Using container encryption solutions you need to restore the whole container to finally restore one file. With HiCrypt™ 2.0 backups you may browse the backup archives for the file you want to restore and only restore that file. Each backup software will be able to work with HiCrypt™ 2.0-encrypted files. This is particularly an asset in case of using online storages.

For this reason not encrypting file names is a feature for system administrators.

What meaning have the files I find on the network drive after encryption?

During the encryption of a network drive HiCrypt™ 2.0 creates three files. These are hidden system files and not visible by default. As soon as you check the option to display hidden files and folders in the folder options of the operating system the files will be visible.

  • .hicrypt.kf
  • hicrypt.bf
  • hicrypt.af

The most important of these files is the key file called “.hicrypt.kf”. All encryption information including the user permissions are stored there. It is a protected file so it is not possible to delete it by mistake. You can not copy or delete this file.

To ensure data backups another file called “hicrypt.bf” will be created each time the key file changes. This is a copy of the key file “.hicrypt.kf” but in contrary to it this file can be copied as any other file so that it is possible to include it in the data backup strategies. In case of data recovery of a network drive encrypted with HiCrypt™ 2.0 the file “hicrypt.bf” will be recovered as well. HiCrypt™ 2.0 will note that the configuration file is missing but a copy of this file is available and so will offer the option to repair the encrypted network drive. During this process the file “.hicrypt.kf” will be created from the file “hicrypt.bf”.

Attention:
Without having at least one of these two files the decryption of the data on the encrypted network drive is not possible anymore!

The file “hicrypt.af” is a history file where HiCrypt™ 2.0 stores the information about which user is accessing an encrypted network drive at the moment. This information is not available in HiCrypt™ 2.0 but it is used while decrypting a network drive to avoid loss of data.

All information contained in these three files are encrypted and protected of manipulation. All three files are deleted automatically by HiCrypt™ 2.0 when you decrypt your network drive.

How can I define the users being allowed to use HiCrypt™ 2.0?

By default HiCrypt™ 2.0 starts automatically for all users after logging on to the system. This applies to all users of a workstation.

If more users use the same computer or if you even use a terminal server than you can limit the user group who is allowed to use HiCrypt™ 2.0. For that a value in the Windows Registry is used which defines the user group who is allowed to use HiCrypt™ 2.0.

Please follow the instructions below to give the two example groups “HiCrypt-User” and “HiCrypt-Manager” access to HiCrypt™ 2.0 (you need to have administrative privileges on this computer to proceed).

  • Start the Windows Registry.
  • Open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HiCryptSvc\Parameters and create a “Multi-String-Value” with the name AllowedUserGroups.
  • Enter the two groups “HiCrypt-User” and “HiCrypt-Manager” – each in a separate line. For that use the format for Down Level-Logon-Names (DOMAIN\GroupName) or the UPN format (GroupName@DNSDomainName.com).
  • Reboot the computer for the changes to take effect.

How to prevent HiCrypt™ 2.0 to be started by users not being allowed to use the software?

After you have limited the group of users who are allowed to use HiCrypt™ 2.0 as described here you can use another value in the Windows Registry to avoid that HiCrypt™ 2.0 is started for all non-authorized users.

Please follow the instructions below (you need to have administrative privileges on this computer to proceed).

  • Start the Windows Registry.
  • Open the key HKEY_LOCAL_MACHINE\Software\digitronic\HiCrypt (32bit) or the key
    HKEY_LOCAL_MACHINE\Software\Wow6432Node\digitronic\HiCrypt (64bit) and create a “DWORD-Value (32-Bit)” with the name SilentQuitIfUserIsNotInAllowedGroups.
  • Set its value to 1 to prevent the start of HiCrypt™ 2.0 for users who are not authorized to use HiCrypt™ 2.0.
  • Reboot the computer for the changes to take effect.

Please note: this configuration is available since HiCrypt™ 2.0 version 1.0.7.

How can I avoid that users save their credentials for an encrypted network drive on their workstation?

If you want to prevent your user to save their HiCrypt™ 2.0 credentials for encrypted network drives you can deactivate this option.

Please follow the instructions below (you need to have administrative privileges on this computer to proceed).

  • Start the Windows Registry.
  • Open the key HKEY_LOCAL_MACHINE\Software\digitronic\HiCrypt (32bit) or the key
    HKEY_LOCAL_MACHINE\Software\Wow6432Node\digitronic\HiCrypt (64bit) and create a “DWORD-Value (32-Bit)” with the name DisableSaveCredentialOption.
  • Set the value to 1 to hide the option of saving the HiCrypt™ 2.0 credentials.
  • Reboot the computer for the changes to take effect.

Please note: this configuration is available since HiCrypt™ 2.0 version 1.0.8.

How can I prevent users from disconnecting an encrypted network drive with HiCrypt™ 2.0?

f you want to prevent users from disconnecting an encrypted network drive with HiCrypt™ 2.0 you can deactivate this option in the menu.

Please follow the instructions below (you need to have adminstrative privileges on this computer to proceed).

  • Start the Windows Registry.
  • Open the key HKEY_LOCAL_MACHINE\Software\digitronic\HiCrypt (32bit) or the key
    HKEY_LOCAL_MACHINE\Software\Wow6432Node\digitronic\HiCrypt (64bit) and create a “DWORD-Value (32-Bit)” with the name DisableMenuItemDisconnect.
  • Set its value to 1 to deactivate the option “Disconnect” in the HiCrypt™ 2.0 menu.
  • Reboot the computer for the changes to take effect.

Please note: this configuration is available since HiCrypt™ 2.0 version 1.0.8.

Addition:

The HiCrypt™ 2.0 version 1.1.0 enables hiding this menu item by using a group policy value. This value is located in the Windows Registry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and is called NoNetConnectDisconnect.

The according group policies settings can be found at Administrativ Templates\Windows Components\Windows Explorer. There the options “Map network drive” and “Disconnect network drive” have to be removed.

There is no HiCrypt™ 2.0 connection. What can I do?

The HiCrypt™ 2.0 connection is the connection between the software components of HiCrypt™ 2.0. If this connection can not be established please check the following points.

Was the installation done correctly?

Please check if the installation of HiCrypt™ 2.0 was done correctly. In the easiest case just start the setup for HiCrypt™ 2.0 again and choose the option “Repair”.

AntiVirus software

After you have confirmed that the installation was done correctly you should check if your antivirus software is blocking HiCrypt™ 2.0 which would prevent the communication between the single components of the software. Please temporarily deactivate your antivirus software. If the HiCrypt™ 2.0 connection can not be established immediately restart the components of HiCrypt™ 2.0. To do so please first stop the HiCrypt™ 2.0 service and end the process (hcui.exe) in the Windows Task Manager. After that please restart the HiCrypt™ 2.0 service which will start the application (hcui.exe) automatically.

If you managed to establish the connection with your antivirus software deactivated you have to configure your antivirus program and add HiCrypt™ 2.0 to the trustworthy processes which are never to be blocked. Furthermore you would need to check if your antivirus software supports “auto sandboxing” where applications are started in a virtual environment. This could be another reason which prevents HiCrypt™ 2.0 from functioning. So please deactivate all settings to prevent HiCrypt™ 2.0 to be run in a sandbox.

Firewall

If it is despite of deactivated antivirus software still not possible to establish a connection to HiCrypt™ 2.0 please check if your firewall is blocking the HiCrypt™ 2.0 processes.

If you could not solve the problem with these instructions please contact us: support@digitronic.net

How to configure the dialog security settings?

As soon as detects an encrypted network drive with a login or a repair or an update required an according dialog appears. After closing this dialog the network drive’s state changed. If valid credentials have been entered the network drive is accessible. if the dialog has been canceled or the reapir or update message has been committed the network drive will be automatically locked by HiCrypt™ 2.0 for preventing access to the secured data.
As long as the dialogs are opened the network drives may be accessed in the background because they are not locked in this moment. En accidentally access is than possible. But to prevent this scenario HiCrypt™ 2.0 uses enhanced security options for these dialogs which has been released in version 1.1.0. Thus the user may no longer do background work while one of those dialogs is opened. The settings to individually configure this behaviour are described below.

Please follow the instructions below (you need to have adminstrative privileges on this computer to proceed).

  • Start the Windows Registry.
  • Open the key HKEY_LOCAL_MACHINE\Software\digitronic\HiCrypt (32bit) or HKEY_LOCAL_MACHINE\Software\Wow6432Node\digitronic\HiCrypt (64bit).
  • Set the value of CredentialDialogSecurityLevel to a decimal value between 0 and 100, to set up the grade of security. 0 means that the enhanced security is deactivated. 100 means maximum security. After installation this value will be set to 50.
  • Enter the english name of a color for the value of CredentialDialogSecurityLevelBackColor. After installation this value will be set to black.
  • Reboot the computer for the changes to take effect.

Please note: this configuration is available since HiCrypt™ 2.0 version 1.1.0.

How can I set a HTTP proxy for online activation of HiCrypt™ 2.0 manually?

During an online activation HiCrypt™ 2.0 at first tries to contact the activation server directly. If this is not successful than the setting of the HTTP proxy of the Internet Explorer will be used to connect to the activation server. It is possible to explicitly specify the proxy to use for online activation of HiCrypt™ 2.0. In this case the settings of the Internet Explorer will be ignored.

Please follow the instructions below (you need to have administrative privileges on this computer to proceed).

  • Start the Windows Registry.
  • Open the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HiCryptSvc\Parameters and create a “String value” with the name UserDefinedProxy.
  • Enter the proxy server and port (e.g. “10.9.8.7:3128”).
  • Perfom the online activation.

Please note: this configuration is available since HiCrypt™ 2.0 version 1.2.0.

Office documents are locked, while nobody else is using them. What can I do?

This problem is caused by HiCrypt™ 2.0 together with the details pane in Windows Explorer. The problem is not reduced on HiCrypt™ 2.0. There are also known issues with this in other configurations.

To solve the problem, just disable the details pane with the following steps.

  • In Windows Explorer click Organize.
  • Choose Layout.
  • Uncheck Details pane and the details pane is no longer shown in Windows Explorer.

How can I deactivate HiCrypt™ 2.0?

Since version 2.1.0 our software HiCrypt™ 2.0 is equipped with the function “automatic deactivation of active installations”. With the deinstallation of HiCrypt™ 2.0 on workstations, which no longer should get access to the encrypted data, the number of assigned activations is automatically reset on our license server. Please remember in time e.g. before shutting-down workstations or notebooks on which there are still active HiCrypt™ 2.0 installations, in order to be able to use them for new installations. Only temporary licenses can be deactivated automatically.

You can and should also use this automatic deactivation for older versions of HiCrypt™ 2.0 by updating the older version before uninstalling. For the update, please download the latest version from https://www.hicrypt.com/downloads/. In the setup, select the point “Change” if you are using a version older than version 2.0 or the point “update” if you are using a version larger than 2.0 and smaller than 2.1.0.

To deactivate an activated HiCrypt™ 2.0 installation, simply run the setup and perform the deinstallation. The “Remove” option has been complemented with the description “The license is automatically deactivated”. At the end of the deinstallation (more precisely: before the completion dialog), a message is displayed which provides information about the automatic deactivation.

This message appears when uninstalling, regardless of whether it was successful or not. In addition, the content of the message is also logged in the Windows event log (application) – and in the log file of the setup. All changes made are SILENT-capable. A rollout is therefore not restricted. Of course, this also applies to a deinstallation – even if different results are generated on different computers during deactivation. If a deactivation cannot be carried out automatically (e.g. due to a firewall), you will receive a deactivation key, which is displayed at the end of the deinstallation (and also recorded in the event log). Please send this via e-mail to support@digitronic.net or vertrieb@digitronic.net then the deactivation can be completed by digitronic®.

How can I access an encrypted network drive if I forgot my password?

If a single user has forgotten his/her password, then a manager opens the User Management of the encrypted network drive, deletes this user and re-creates it. If a manager has forgotten his password, but at least one user has access to the encrypted network, this user can copy the data from the drive to a local hard drive. Parallel to this, the administration provides a new, empty network drive. A manager set up there encrypts the new network drive and copies the data back to it. If none of the users has access to the encrypted network, then the recovery key generated during its setup is needed. Also in this case, the administration initially provides a new, empty network drive. After performing the installation of HiCryptT 2.0, select the “Restore …” function in the user interface and enter the restoration key during the wizard. Then a new manager is created. When this process is completed, an administrator must copy the encrypted files on the server from the old to the new share. The three files generated by HiCryptT 2.0 cannot be copied. Only if the recovery key generated during the creation of the encrypted network drive has not been exported and securely kept, and at the same time none of the users has more access to the encrypted data, there is no longer any chance of accessing the data in unencrypted form.

What do I need to do to enable HiCrypt to encrypt network drives that point to Azure Files?

Azure Files support is not active by default. If Azure Files network drives are to be encrypted, the following option must be added to the Windows registry of the HiCrypt client.

Key: HKLM\SYSTEM\CurrentControlSet\Services\HiCryptMFD\Parameters
Name: OmitNonCached4HeaderWrite
Type: DWORD
Value: 1

After a final restart of the HiCrypt client, Azure Files support is active.