If the machine belongs to someone in customer service, you may only need to worry about the loss of the equipment. If the machine belongs to your CEO, CFO, or the head of human resources, important company data could be compromised. Encryption software can often prevent a loss of sensitive data, but is it right for all desktops or is that security overkill?
I think the answer to this question is, it depends. Let's take a closer look at PC encryption in general and five encryption software options.
Deciding when to use encryption
When determining whether your desktops and/or laptops need encryption software, consider file location, file type, and file sensitivity.
- File location
If your organisation stores highly sensitive data only on network servers, neither your desktops nor laptops likely need encryption software. Depending on the encryption software used, encrypted data can be difficult if not impossible to recover if the PC's operating system crashes. To avoid catastrophe in the event of such a failure, you should completely back up encrypted PCs on a regular schedule. This effort can be quite time-consuming if you're dealing with a large number of encrypted desktops and/or laptops.
However, if your organisation must store sensitive data on desktops and/or laptops, you should take a second look at the encryption software I'll discuss below. I believe it's always appropriate to encrypt sensitive data stored on a laptop. Laptops generally travel out of the office, so unless the data is encrypted, it could be easily compromised if the laptop were lost or stolen.
- File type
Not all files can or should be encrypted. For example, you usually can't encrypt an operating system, nor can you perform partition-level encryption on a partition that contains operating system files. This is because during the early phases of the boot process, the operating system is unaware of any encryption software (even if the encryption software is part of the operating system, as in the case of Windows 2000). Encrypted operating system files would therefore be unreadable, making the system unbootable.
- File sensitivity
Consider the files' sensitivity and only encrypt those files that could cause significant damage to your organisation if exposed to a competitor or made public. A few examples include human resource records, financial statements, legal department documents, and sales figures. When deciding which files to encrypt, I recommend enlisting the aid of senior management and your organisation's legal department.
PC encryption options
If you decide that your organisation needs to encrypt data on its desktops and/or laptops, you have several options. Both Windows 2000 and XP offer file encryption capabilities via the encrypting file system (EFS). While I'm very fond of EFS, plenty of third-party products are available for encrypting PC files.
Below are descriptions of several desktop encryption products. Keep in mind that the products are not ranked in any order and a spot on this list is not an endorsement of any particular product. There is little difference between encryption products, aside from key size.
Virtual Matrix Encryption
Meganet Corporation claims its Virtual Matrix Encryption (VME) products are unbreakable forms of desktop encryption. In fact, the company claims that the encryption is so secure that it is giving a Ferrari 360 to the first person to break into an encrypted file. The VME software uses 1,048,576-bit symmetric key encryption in conjunction with a series of virtual matrices. The large encryption key makes this type of encryption much more resistant to brute force attacks than similar products, such as EFS, which relies on a mere 128-bit key.
Virtual Matrix Encryption comes in several flavors, but the version most suitable for enterprise laptops and desktops is VME 2000. Its base price is US$100 per copy for individual licenses. Corporate solutions are available if you contact Meganet Corporation directly.
CHAOS
Another encryption product is CHAOS. Unlike Virtual Matrix Encryption, which costs a hundred bucks, the entry-level version of CHAOS (ABC CHAOS) is free. There are also versions of CHAOS that encrypt e-mail and compress and then encrypt files. These alternate versions are available from the CHOAS Web site for around $40 to $60 dollars each. Although CHAOS is based on a public key infrastructure (PKI), I was unable to find any information available on CHOAS key strength on the Web site.
CipherPack
Although CipherPack from VIO Systems Limited is geared toward secure file transmission, it can also be used for desktop file security. CipherPack is a symmetric, multikey encryption product with a maximum key size of 120 bits. There's also a Pro version of the software based on the SHA-1 and AES encryption algorithms.
Rather than simply applying encryption to a folder as other products do, CipherPack creates an archive file containing all of the encrypted files. Because of this, CipherPack is an ideal solution for securely distributing software over the Internet. The recipient doesn't even need a copy of CipherPack because the compressed file also contains decryption software. The recipient must simply enter the encryption key to launch the decryption process. CipherPack costs about $40 for the standard version and about $60 for the professional version.
ImageX
ImageX is an innovative product from TopLang Software Studio. Any file you want to encrypt is encrypted and embedded into a JPEG file. That way, whether you need to send the file to someone or you just want to hide a file on your PC, the file appears to be a JPEG. If someone tries to open the file without using the ImageX software, they will see only a picture. The only hint that there's more to the picture than meets the eye is the file size. TopLang's Web site offers a freeware version of ImageX and a full version is available for $18. The full version requires users to enter some credentials before the JPEG's underlying data file is revealed and allowed to be decrypted.
Encryption Plus Folders
Encryption Plus Folders, from PC Guardian, is similar to the encrypting file system that comes with Windows in that it allows users to encrypt and decrypt data on the fly without having to do anything other than logging in. The software uses a 192-bit, block-based cipher algorithm.
The software's ability to encrypt the contents of multiple folders and support multiple users is also a nice touch. Encryption Plus even contains a password recovery module so you can't accidentally lock a folder permanently. You can also use Encryption Plus Folders on removable media.
A single license for Encryption Plus Folders costs about $100. An enterprise version that offers centralised administration is also available. The minimum order for the enterprise edition is 50 licenses. For pricing information, contact PC Guardian directly.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
3%
2%
I am horribly disappointed in your article "Protect your PCs with these encryption options." In fact EVERY program listed there is considered to be snake-oil (http://srd.yahoo.com/srst/19624941/snake-oil+faq/1/1/T=1028147464/F=9178a13b36bc079c1a7145a7f59b5418/*http://www.interhack.net/people/cmcurtin/snake-oil-faq.html for more information).
I'll go through them one at a time, to point out the exact statements that get them listed as snake-oil.
Virtual Matrix Encryption
The real problem is their insistance on using proprietary encryption. They claim this makes it more secure. The truth is that history is very pointed on this, hiding the encryption affects nothing, and means only that the algorithm has not been thoroughly analyzed. As to thier refusal to reveal their algorithm, and misplaced belief that it cannot be found out, search the sci.crypt newsgroup archive and cypherpunks archive, you'll find the source code.
Chaos
Again has the same problem, proprietary, unanalyzed ciphers, which means that there is an extreme likelihood of security failure. In addition Chaos makes some extremely bad recommendations for security. In fact quoting from http://www.inresgroup.com/about.htm, "Do not forget the password! For example, write it down on sheet paper and put this sheet paper into a safe place." Which most people will be able to tell you is an extremely bad idea. Again 100% pure snake-oil.
Cipherpak
The professional version appears to actually be a functional security product, of course I haven't actually examined it, all of these can be declared snake-oil purely based on their advertising. However the standard version of Cipherpak uses a proprietary algorithm, and as with all the others is declared snake-oil. Since the "professional" version is written by the same people that believe that their proprietary, unexamined algorithm is secure, I doubt they have the skills necessary to implement a system that is truly secure.
ImageX isn't even an encryption program. It is a steganography program, and an apprently rudimentary one at that. They (falsly) claim that the attackers will believe the file is "only a picture," they fail to mention that the attacker will become rather suspicious when you send the same picture of your dog 50 times, and each time it is slightly different. And their crowning achievment in making the purest of snake-oil (exceeding even the 100% mark simply for their stupidity) "For registered users, the ImageX files created by ImageX will include the User ID to prevent others to extract it," (http://www.toplang.com/imagex.htm) which is so bad it is not even worth laughing at. However reading on I am forced to add some credibility to the individuals developing the product, even if they have developed 100+% snake-oil "And, the Registered user can ask for Support, if you have some files binded to ImageX files, and you can not extract it(this case is infrequent cause of the ImageX software is very stable), you can ask us to help you." (http://www.toplang.com/imagex.htm) So they at least realize that it is in fact snake-oil.
The last and most hilarious one is:
Encryption Plus Folders
This is not even good enough to be called snake-oil. Their protection (I won't even call it encryption) method is extremely simple, they encrypt using a system key (this may even be the same across all systems), then they save an access-control-list, which they depend on to restrict access, as opposed to using something like encryption. The password you enter is stored in the most rudimentary ways, and easily altered. Basically this one is the absolute worst of the bunch, and will never offer anyone, any level of real security.
If you want real security there are actual solutions. There is ScramDisk (http://www.scramdisk.clara.net/, no longer supported), DriveCrypt (http://www.drivecrypt.com/drivecrypt.html?reseller=swprf), PGPdisk (no longer sold), E4M (no longer supported), and some others, but always be wary o