What is Utimaco u.trust Data File for Android?
Utimaco u.trust Data File for Android enables users to work with their encrypted data remotely, by using their mobile devices, such as smartphones or tablets.
With transparent file encryption on Windows / MacOS, Utimaco u.trust Data File enables the secure exchange of confidential data within authorization groups in small, medium and large organizations. Numerous companies, business organizations and the public administration in Germany and worldwide are already relying on Utimaco u.trust Data File.
A Security Officer (SO) determines centrally, which files and storage locations should be protected by Utimaco u.trust Data File and defines which users are allowed to have access to specific data by setting one, or several encryption rules. As an example, the Security Office (SO) can ensure that all Word documents in a specific file storage path, are encrypted, by creating an encryption rule on the defined path e.g. "\\Servername\Files\*.docx". As soon as this rule is transferred to the client computer via a policy file, created with the Utimaco u.trust Data File Administration console, all Word documents in this path will be encrypted from now on. Additionally, you can combine one or more encryption rules to one encryption profile.
This applies to all files, independently of where the files are stored. You can access all Utimaco u.trust Data File encrypted files that are either stored locally, on a network storage or on a remote storage (e.g. cloud storage). A user can easily access the same Utimaco u.trust Data File encrypted files, that are also available on his workstation computer.
This second release of Utimaco u.trust Data File for Android allows the user to open, edit and save encrypted files and access them per se and moreover extends the usual Utimaco u.trust Data File security infrastructure by using certificates (.p12 files) and policy files (.xml.bz2) on mobile devices.
Utimaco u.trust Data File for Android version 2.0 supports Android 11 / 10 / 9 / 8.
Utimaco u.trust Data File for Android is currently available in German and English.
Which Android Versions are supported by u.trust Data File?
Supported encryption algorithms for file encryption
u.trust Data File supports the following encryption algorithms:
- AES-256 Bit (XTS-Mode)
- AES-256 Bit (CBC-Mode)
- AES-128 Bit (XTS-Mode)
- AES-128 Bit (CBC-Mode)
Supported encryption algorithms for Key-Wrapping
u.trust Data File supports the following encryption algorithms for Key-Wrapping:
- 3DES TWO KEY
Note: With Key-Wrapping (default setting), the transport key of the Security Officer data and the user profile data will be encrypted with a randomly generated session key using the selected algorithm (AES is used by default). This key in turn is RSA-encrypted using the public key from the certificate.
Note: Please note, that in comparison to Utimaco u.trust Data File for Windows, the algorithm "RC2" is not supported by u.trust Data File. If the Key-Wrapping for your policy file is set to this algorithm, the policy file cannot be used with u.trust Data File. In that case, you have to change the Key-Wrapping encryption algorithm and choose an algorithm that is supported (e.g., AES-128).
Note: If you are using a security token, please make sure that the middleware you are using, also supports the selected Key-Wrapping encryption algorithm. You might need to update the middleware, if you are using a security token.
For security reasons, please always activate the screen lock on your Android device before using this app. You cannot run u.trust Data File without an activated screen lock. Never use an easy-to-guess password, such as "1234" or "password". Only with a strong password you can prevent unauthorized access to your confidential data, in case your device is lost or stolen. In general, Utimaco recommends to delete all App-Data on your Android device, if the device is not in use for a longer period of time, or if you exchange your device for a new one (see Delete App-Data).
Note: If you deactivate the screen lock later, u.trust Data File deletes the certificate and the private key file from the certificate storage of your Android device.
Note: Rooted devices are not supported by u.trust Data File.
Tap the gear icon at the bottom of the app to open the settings. The settings are divided into the following sections:
What are Utimaco u.trust Data File Policy files?
A Security Officer (SO) determines centrally, which files and storage locations should be protected by Utimaco u.trust Data File and defines which users are allowed to have access to specific data, by setting one or several encryption rules. Each individual encryption rule consists of an encryption path, a key and an encryption algorithm. Utimaco u.trust Data File policy files contain all encryption rules, that the user requires, in order to be able to work with encrypted data. For the user to be able to use the policy file, he/she needs a certificate, which will be provided to him/her as a key file (.p12 file) by the Utimaco u.trust Data File Security Officer. The key file contains the certificate and the private key of the user. The access to the key file is secured by a password. The user will receive the password through his Security Officer.
Before importing the policy file and the key file to the mobile device, both files have to be copied to a location that is accessible by the mobile device. This can be a private folder on OneDrive or a network share. Alternatively, you can copy the key file directly to the storage of the mobile device, by connecting it to the PC via USB or Bluetooth.
Import your policy file
Open the u.trust Data File App on your mobile device. Tap the gear icon at the bottom of the app to open the settings. Click the IMPORT button on the Import Utimaco u.trust Data File policy screen and select the location that contains the policy file. Select the policy file. The policy file will be imported into your mobile device.
Import your certificate (.p12 file)
Open the u.trust Data File App on your mobile device. Tap the gear icon at the bottom of the app to open the settings. In the selection box, click the IMPORT button on the Import user Certificate screen, and choose the location that contains the certificate key file (.p12 file). Tap the certificate key file (.p12), which will be indicated by a finger print icon. Into the dialog box, enter the password of your certificate, that you have received from your Security Officer. Once you have entered the correct password, the certificate and the corresponding private key will be saved to the storage of your Android device.
Note: u.trust Data File 2.0 also supports referencing multiple user certificates in the policy file. In order to be able to use the policy file, the user must have at least one of the certificates that have been issued to him and whose public key is used to encrypt the policy file, and of course he must also have imported it.
Select the default encryption key
If you want to encrypt new files with u.trust Data File, you must select a default encryption key first.
Open the u.trust Data File App on your mobile device. Tap the gear icon at the bottom of the app to open the settings. There, tap on the Select default encryption key option. All encryption keys available to you are listed in the right window. There, tap on the key that you want to use as the default encryption key. When you encrypt new files, those files are then encrypted with this key.
Note: You can change the default encryption key at any time. New files that you want to encrypt will always be encrypted with the selected default encryption key.
Rolling out policy files and certificates using MDM
In addition to the app, you can use a Mobile Device Management (MDM) solution to import the individual configurations, (policy files and certificates) to make the configuration data available for the users. If you don´t have a Mobile Device Management (MDM) solution, then the configuration data (policy file and certificate) must be imported by each user manually, as described in the Import your certificate section of this document.
Note: If u.trust Data File is rolled out via MDM, the security officer's public certificate (.cer), which was used to sign the policy file, can also be provided on the mobile device in addition to the policy and user certificate. In this case, policy files imported manually by the user are also checked by validating the signature of the Security Officer certificate.
Deleting App Data / resetting u.trust Data File
Resetting u.trust Data File
In u.trust Data File select the option Delete App-Data in the app settings. This will delete all data stored in the u.trust Data File app, including the policy file, the user certificate and the private key. u.trust Data File will then be reset to factory defaults.
Working with encrypted data
u.trust Data File enables you to access files stored on the device itself (local memory and also data stored on the inserted memory card), on network shares or in the cloud (e.g. on OneDrive or Google Drive). File access via u.trust Data File can be done directly or via the "Storage Access Framework (SAF)" for Android. SAF allows to use remote access provided by other apps installed on the same device. For example, the Utimaco u.trust Data File app can access the user´s data on OneDrive if the OneDrive app is installed. Similarly, access to Google Drive is then also provided if the associated app is installed on the mobile device, etc.
How to access encrypted data?
As already described in part, files on a mobile device can be accessed in various ways. This can be done via a native file browser app, a proprietary app for cloud storage (such as OneDrive) or – starting with this version – also from within the u.trust Data File app. The first release of u.trust Data File already supports the first two access methods. u.trust Data File 2.0 now contains its own integrated file explorer. This means that (encrypted) files can now also be accessed directly via the dashboard, which are either on a local storage location, in a Windows share or on OneDrive´s cloud storage. You can also use the file explorer to see the encryption status of the files displayed there. If a file is marked with a green key symbol, it means that the file is encrypted and that you have the necessary key to open and edit this file. A red key symbol, on the other hand, means that the file is encrypted by Utimaco u.trust Data File, but you do not have the key required to open or edit this file.
Open files via the Utimaco u.trust Data File app, edit them and save them encrypted
To edit files, you can also load them directly from the Utimaco u.trust Data File app into any other app via the Open context menu. You can then edit the files. When you save them, they are then automatically encrypted by u.trust Data File..
Note: For editing Office documents, Utimaco recommends using the open source and free app "Collabora Office". This is based on LibreOffice, which is one of the best-known and most popular open source office applications worldwide.
To open an encrypted file, tap on Open file. In the file browser go to the location that contains the encrypted file you want to view. Tap the encrypted file and choose which app you want to use to open the encrypted file (e.g., Collabora Office). The file will be opened in the chosen application and displayed in a decrypted state. The file itself will remain encrypted at all times in the source location. All encryption and decryption steps take place on the Android device directly.
u.trust Data File has a Verbose Logging feature. The usage of this feature is only intended for error analysis and should only be activated if you encounter any errors or problems with the u.trust Data File app.
The Verbose Logging feature can be activated or deactivated at any time in the settings of the u.trust Data File app. To activate Verbose Logging, open u.trust Data File on your device. Tap the gear icon at the bottom of the app to open the settings. Activate the Verbose Logging by moving the slider, for the Verbose Logging, to the right. The logging feature will be displayed as activated (red color). Take the necessary steps to reproduce the error, to create the log files.
Send logs feature
By using the Send Logs feature you can send the log files for analysis purposes to the Utimaco support team by email. To send the log files, tap the Send Logs button and open the app that you use for email communication. The log files will be attached and you can send them to firstname.lastname@example.org.
To disable the Verbose Logging feature, move the slide button back to the left.
To access technical support for Utimaco products do the following:
All maintenance contract customers can access further information and/or knowledge base items at the following link https://support.hsm.utimaco.com/home
As a maintenance contract customer, send an email to technical support using the email@example.com email address and let us know the exact version number, operating system and patch level of your Utimaco software and, if applicable, a detailed description of any error messages you receive or applicable knowledge base items.