PC encryption options
If you decide that your organisation needs to encrypt data on its desktops and/or laptops, you have several options. Both Windows 2000 and XP offer file encryption capabilities via the encrypting file system (EFS). While EFS is fairly good, plenty of third-party products are available for encrypting PC files.
In this feature we look at five packages with a variety of file and communication encryption capabilities.
ComSec Enterprises PrivateCrypto
Want a no-nonsense encryption program that is simple to install and use with very little in the way of bells and whistles? That pretty much sums up PrivateCrypto. The software was delivered to the Lab on a credit card-sized CD, from which the installation is swift with little operator intervention.
The software integrates seamlessly with Windows Explorer, and it’s fair to say if you can use Explorer and products like Winzip, then this is no stretch at all.
Want to encrypt a file? Right-click on the file and one of the menu options will be PrivateCrypto. The utility then requests the user supply a password; you can have different passwords for different recipients. There is an option to create self-extracting files, which is great if the recipient does not have a copy of PrivateCrypto. In addition, the utility can compress the file prior to encryption and if required, delete the unencrypted original. However, the utility will only encrypt a single file at a time, which is a bit limiting; if you select multiple files at once the PrivateCrypto option is not available. On the other hand, you could turn a group of files into a single Zip file and encrypt that. The encryption scheme is 128-bit AES, so it’s quite secure although not as fast as some of the other programs tested. It took 10.8 seconds to encrypt and compress a 5.98MB spreadsheet down to 1.18MB, which is not too shabby.
Elantra EncryptNT
EncryptNT is an Australian disk encryption tool. As the name suggests, the product runs under Windows NT4.0 SP5 and above, and can be used on a single workstation or by multiple users across a network.
The product can encrypt CDs, floppy disks, and backup tapes in addition to disk partitions. We should note that the product can’t encrypt the C: drive, since this is the system partition and must remain unencrypted to allow Windows to boot; the software complements Windows security rather than replacing it. The vendor suggests some hardening of the operating system such as relocating the paging file and SAM (Security Accounts Manager) to an encrypted partition. The vendor also claims categorically that there is no “back door”; if you lose or forget the password, you can kiss your data goodbye.
OK, it’s not quite that bad. During installation you create a set of master keys, so should you lose the key or perhaps a disgruntled employee changes the encryption key, you can still restore the data with the master key (which you have obviously kept out of circulation and locked away in the company vault).
The installation procedure, while not difficult, is nevertheless long-winded when compared to some of the other packages. It’s a two-step procedure, first install the software and then reboot, login using your new password, and then configure. And while we are on the subject of login, you’ll get stuck at this point until you read the manual and find out the default user name is ”encryptnt”. One strange aspect of the setup process is that you must create a temporary password, which you must then replace a couple of minutes later with a permanent encryption account password.
Two keys are used to generate the master encryption keys; you can choose to generate the keys using the software’s own random phrase, random text generators, or use your own.
The software effectively integrates into Windows: if you need to encrypt a partition, right click on it, select Properties, and you will find an EncryptNT tab. From here, providing you have the rights of course, you can encrypt the partition in DES, IDEA, or Triple DES formats. The initial encryption is not blindingly fast, and even if you only have a small amount of data on the partition it still takes time, as the entire partition must be encrypted. For example we had a 10GB partition with just 456MB used, and it took our 1.7GHz Dell around 47 minutes to complete the task. Of course once completed, on the test system at least, the saving and retrieving of files from the partition was very fast, the encryption and decryption were quite transparent.
Initially, only the default user has access to the encrypted partitions. Other Windows users can be added and configured from the EncryptNT Settings control panel. Each user can be assigned various levels of rights on different partitions and removable media, and you can grant or deny the ability to change system settings and other users’ settings. The user can be disallowed encryption on a particular device, allowed standard encryption, or interchange encryption mode. For each of the three modes, the user can be assigned various read and write access combinations.
Janteknology Encryption Plus Enterprise Edition
Under the Encryption Plus banner falls a suite of programs each with their own dedicated function—Hard Disk, Folders, CD-ROM, E-mail, and Secure Export. They all use the Blowfish encryption algorithm; the commercial version of the package utilises 192-bit encryption, while the freeware version is only 64-bit. We’re pretty sure you can guess what Hard Disk, Folders, CD-ROM, and E-mail do, while Secure Export will encrypt files for secure distribution using media such as floppy drives, tapes, CD-ROMs, and e-mail.
Initial software installation was very simple, all of the software was downloaded from Janteknology’s FTP site and the downloaded files can only be unlocked with a registration key provided by the vendor. Once it’s installed, you need to provide a master password. Keep this safe, because if you lose it, your encrypted data will not be recoverable. A setup wizard then guides you through the remainder of the process and includes user password management settings, where password lengths and special character restrictions can be enforced.
The administrator has the option to define the export file extension; you can give them EPE or NEX extensions rather than EXE, because many firewalls and e-mail programs will not pass self-extracting EXE files.
Once installed, using the software is quite painless. The export window clearly lays out the destination file name, source file/s, and the encryption password.
The recipient simply runs the EXE file and puts in the password for the file/s to be correctly decrypted.
Encryption Plus Folders is also simple to install, although it requires a reboot to complete the configuration. Interestingly, the software included an “Authenti-Check” setup step. This allows the user to input three questions to which the user will be the only one to know all three answers. If the password is lost, the user can run Authenti-Check, give the three answers, and put in a new password. Using the software is also a doddle. Running the Folders applet presents the user with a simple button interface that includes changing passwords, adding users, mounting devices, and of course protecting folders. The interface is clean and simple to use, and once the folder has been protected, future access from other applications is as seamless as unprotected folders, providing of course you are a user who has access rights. Each time Windows starts up, the user is asked for a user name and password to identify their access level to the various protected folders. While the installation of the Encryption Plus Hard Disk software is quick and easy, the configuration process is more complex than the other Encryption Plus applications.
Setting up the initial user defaults is a multi-step process, but to be fair, it takes this number of steps because the list of configuration settings is extensive and very useful. There is a very flexible list of settings for user passwords, ranging from required special characters and expiry dates through to lockout counts. Users can be configured to log in to Windows and Encryption Plus as a single-step or two-step process. The final step in the configuration process is arguably the most important and includes the setting of the initial encryption speed. Why? Well the default setting is “fast” but of course this will consume more system resources than “slow”. If your PC isn’t that powerful, you may wish to select “slow” so that your foreground work does not overly suffer while background encryption is occurring.
The software can be configured to encrypt the entire disk, or just the sections with data on them. You can also speed up performance by disabling the software’s power loss recovery feature, but this means you may lose data if there is a power loss.
On completion of the user setup, the administration utility creates a setup directory that can be run locally or remotely for each user. This installs the user portion of Encryption Plus Hard Disk. The interface is simple and very easy to navigate, however we found that encrypting our 10GB partition was very slow when compared to EncryptNT. Admittedly the configuration selected was encrypting the entire disk space, as was EncryptNT. While the encryption speed was set to “fast”, the fact that we had “Recovery after Power Loss” enabled would not have helped improve on the almost five hours required to encrypt the partition.
McAfee E-Business Server
The name of this product may lead many to believe it’s a fully featured e-business package; it isn’t. E-Business Server is in fact a tool that integrates into your business processes to provide secure transactions.
In essence, the product has four primary functions and they are encrypt data, decrypt data, digitally sign data, and verify digitally signed data.
The vendor supplies some example scenarios that are quite illustrative of the use of the product. As an example, a hardware developer may share large design files of confidential data with a chipset manufacturer. Each night the company’s server may automatically send the files to the manufacturer’s server via FTP.
Admittedly each company will have its own firewall security in place, but while it’s being transmitted over the Internet, it’s fair game. E-Business Server encrypts the data with the business partner’s public key, thus protecting it from interception. An added benefit of the product is that before it encrypts the data, which may be large CAD files for example; it compresses the files, thus saving on data transfer costs as well.
The product has a wide range of uses. For instance, it could protect real-time transfer of credit card or point-of-sale data, healthcare provider information such as billing and patient records, in fact any transaction that involves the transfer of sensitive data over the Internet.
Installing the product is relatively straightforward, however to actually use it in a meaningful way, you must access its functions from your existing applications either via the command line interface, Unix Shell scripts, C/C++, CGI scripts, ASP pages, or an optional set of APIs allowing the command set to be added to programming languages such as Visual Basic/COM, Perl, and Java. Platform requirements are quite modest, although we tested the product on a 1.8GHz Pentium 4 with 256MB of memory and so cannot confirm that the minimum requirements are actually usable. However, we can say it was very quick on the test system.
Operating system support is quite good covering Windows NT/2000, some flavours of Linux, Solaris, HP-UX, and AIX.
E-Business Server supports all PGP and x.509 certificates and a very solid collection of encryption algorithms, both symmetrical and public key, in addition to several common hash algorithms.
Network Associates PGP
PGP is an acronym for “Pretty Good Privacy” which to some may sound a bit too slap dash; a bit of an inconvenience rather than a deterrent. This is certainly not the case; PGP utilises a PKI structure that uses either Diffie-Hellman/DSS encryption, or RSA based on the IDEA algorithm. In the latter case PGP must pay a licence fee to RSA, but the former is free.
Installation of the freeware is relatively simple, and any moderately capable computer user should have no problems. There are a couple of steps that involve selecting which e-mail plug-ins you wish to install, and setting up the key parameters.
To generate an encryption key, the program uses your full name and e-mail address, or any other items you may wish to input at this point. At this stage the user can select the algorithm used, whether or not the key has an expiry date, and the key size, which is configurable between 1024 and 4096 bits.
PGP is actually a small collection of security tools and includes PGPkey, PGPnet, PGPtools, and PGPtray to allow access to the functionality from the system tray. PGPkey is—as the name suggests—a key management tool, with which you can browse key and certificate properties, and send and retrieve keys from a server.
PGPnet is a basic VPN client. With the commercial version, it also includes a personal firewall and intrusion detection software.
The PGPtools interface is a small floating button bar that provides a convenient interface to launch PGPkey as well as encrypt, sign, or encrypt and sign single or multiple files. In addition, the tool bar also provides a useful “wipe” function that will delete a file and wipe the space it occupied to ensure it cannot be retrieved by disk tools. There’s also the “freespace wipe” button that will clean all the free space on your hard drive ensuring no recoverable deleted files are lurking.
We found the encryption engine very fast with 6MB files encrypted in just 1.5 seconds and reduced in size to 1.59MB.
The freeware PGP distributed by Network Associates only supports Windows or Mac but there are countless versions of PGP, with various levels of bells and whistles available for just about every platform under the sun. We should note that to use the product commercially, a commercial licence must be obtained from Network Associates.
