Best file encryption for network shares.

What is the best file encryption package available to have multiple users encrypt/decrypt on a network share?

Encrypted volumes are OK, software based preferred.  We need a simple, robust package that protects our data from physical theft and intruders and which doesn't stop us from sharing data.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ICCPAuthor Commented:
Thanks for that.

However, I've got a list of URL's as long as my arm.  The problem is figuring out what is best.

I've tried the MS offering, based on the advice of some supposed experts, and it wouldn't work.  IE, to encrypt, a file had to be decryptable by only one user.  They've sorted this out in Win2003, but it's too recent for our taste.

The expert I'm looking for will have installed file encryption offerings of various flavours in a large variety of locations and will recommend the best based on extensive experience.

Can I make sure of something first.  Are you looking for a VPN rather than general encryption?

More specifically, are you looking to simply secure the network traffic between your systems, or are you looking to do on-the-fly encryption of data on the discs themselves?  Or both?

If it is as simple as a VPN, there are non-expensive hardware devices that can do the job for you, though if you are looking for disc encryption as well, then you are probably looking for software.

Which one are you looking for?
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

> .. figuring out what is best.
nobody can tell you, you need to find out yourself.

> .. robust package that protects our data from physical theft ..
impossible. Except noone has physical access.

If there're sevaral people who need to share access, each needs to know the secret.
If you only have one secret, and need to distribute it to more than one person, you have more than one weak system.

To get more close to what you want, you need something like a PKI, where each person can have it's own secret, and each secret can be invalidated (revoked) independently.

I'd suggest PGPDisk, which can use a PKI.
ICCPAuthor Commented:
Thanks for those thoughts guys.

Skytzo - disk encryption only.  Not VPN.  No traffic encryption.

The theory is that system intruders who manage to crack the ACLs will then have to crack the encryption and also - if the server is lifted and carted away, the data will still be protected by encryption.  (keys need to be stored separate to data)

ahoffman - I understand that we'll need to test in our environment.  What I'm trying to do is test the best - avoid testing some of the snake oil products available out there and avoid products that experienced experts have found to be wanting.  A question - at how many sites have you personally set up PGPDisk with PKI?

PGP to 7.1 always had trouble with file locking on shared encrypted files - if this has been fixed at v.8 then I would recommend it highly because of the excellent features for management like trust levels, the ability to customise, admin and enforce client settings and Additional Decryption Keys.

(me=former PGP implementation consultant)

I have literally just started looking at v.8 so if I see any issues with PGPDisk I will post here.

If you do go for another solution I would be very interested to hear which one...
> .. how many sites have you personally set up PGPDisk with PKI?
none, 'cause my personal opinion is that it is a useless attempt, producing more problems than it resolves (not 'cause of PGP, but 'cause of the nature of the problem).

Do you have a PKI running?
If not, start with it first, 'cause it's the backbone of what I sugested. And it's no fun, not easy, not trivial, not click&type, not for none-gurus, etc. etc.. It's something secure ..
See ferg-o's comment.
Sounds like I'm out of the run for solutions, but I'l listening ..

You may also want to have a look at this:

We partner with these guys - they use a USB token to look after authentication for the encrypted information. Very simple to use - one thing that is a problem with PKI is that you have to store your private key somehwere. By default in PGP it is stored on your hard drive. In that case if one of your staff loses their laptops someone could brute force their key. We are getting into NSA-level technology here but there *is* a risk. With a token you have a pin number for the key - the key stores the complex passwords or certificates.

The last comment reminded me of the Abit secure drive system.  It is a board that sits between your IDE bus and the IDE cable and encrypts all data on the disc.  It uses a usb token to store the key.  Remove the key, and the drive is locked.

Check it out.  As a hardware solution it is faster than disk encryption and probably just as if not more secure due to the entire disc being encrypted.
> .. is that you have to store your private key somehwere.
That's the culprit for any atempt (at least as long as you don't hit in the key completely every time it is requested, useless ..)
Also keep in mind that a USB token is as weak as most keys on hard disk, it's just as save as the pass phrase to protekt it.
And more worse, it simple to get physical access to it, much simpler than unplugging a hard disk ;-)
Also keep in mind that most OS have no protection on USB, nor is the USB protocol secure. It's rather simple to write drivers for USB which act as a sniffer on the all connected USB devices (sorry don't have a link handy for this, but experianced people know how to find it;-)

Sorta like a key logger that records any keys input to a keyboard, or the the device, I forget the name, that can capture your screen image from 200 yards away outside your building.  

lol..  I think we are in the realm of spy vs spy now.  I think the item above is used to unlock your disk prior to any OS level or device drivers being loaded.
ICCPAuthor Commented:
This is very tricky.  Thanks to all for thoughts.

ferg-o - sounds like you have a good depth of experience with PGP.  Have you ever implemented any of the other products?  I'm trying to get a feel for any comparison that might be implied.

I can imagine problems with file locking.  Network shares seem a problem for a number of products - probably that hardware encryption system included.  We're focussing on software, but if anyone has robust reasons why hardware is "best", would love to hear.

The KeyDrive looks useful with its combo authentication - private key on USB token, PIN also.  A little similar to the RSA one-time password generators.  Presumably they hash the two to get the real key.  So even if someone gets hold of a USB token, there's another factor for further protection and the real key is never stored anywhere (sounds like).  Unfortunately they don't have an office in Australia.  That can't affect the awarding of points in the end though.  I'm just looking for "best".

Key loggers and monitoring devices on hardware are not off the scope of concern, but are way down the list - to be addressed at a later date.  Network intruders and hardware theft are primary concerns for now.

Does anyone know how Eracom compares with PGPDisk as a candidate for "best"?

I have messed about with Calyx - the glue holding that suite together is a bit thin but it has a lot of potential. It also wasn't really integrated with tokens for a few of the encryption aspects. I haven't seen Eracom.

In terms of clients using PGP (I am under non-disclosure for most) effectively you are looking at defense organisations, invetsment banks etc. While PGP was owned by NAI there were several problems related to building too many features into the products - the VPN/Firewall component was particularly troublesome with some onboard NIC cards (just small manufacturers like Compaq and IBM) but that has now been scrapped.

Some of the key PGP people from NAI formed PGP Corporation which owns it now. They have stripped it back to do what it does really well - disk and mail encryption. I have been running the latest version for the last couple of days and it has caused me no issues - the whole time I was at NAI I used 7.1, just the mail and disk components with no problems.

I have put all my client folders into an encrypted disk on the server and have been running that fine - even over VPN. Also we are now looking at Version 8.0.3 - that makes it a very mature product. It integrates with Aladdin and Rainbow tokens among others. I highly recommend the use of tokens for private key storage.

If you use PGP Admin (if you are to deploy I suggest you buy some services - it is a complex PKI, should you wish to have additional decryption keys or use trusted/meta introducers to decentralise/simplify/automate management then you will need to plan your PKI architecture carefully prior to implementation) then you have a wide variety of enterprise manageability options that have been built into the product as clients have requested them over the years. PGP will work with x.509 certs but you will lose some functionality over using PGP keys (sorta like big certs with more info on them...) The advantage of this is for use in mail encryption - it is easier to use x.509 with other applications.

So my point is in my opinion you cannot go wrong with PGP as long as you use it for what it is designed for and that the design and implementation is thoroughly planned. In my experience it is the best product of its kind on the market for reasons discusssed above.

I would be intersted to hear about the Eracom stuff if anyone has seen it - from the site it looks interesting..


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ICCPAuthor Commented:
Thanks very much ferg-o

You're in the front running.

Anyone with comments on Eracom or any other packages?

Comparisons between products based on field-experience will be well-received.
ICCPAuthor Commented:
ahoffman - I'm interested in your thought that the nature of the problem means that more difficulties are introduced than solved by using disks encryption.

What sort of problems can be expected?
Repeating one of my first sentences:
> If you only have one secret, and need to distribute it to more than one person, you have more than one weak system.
Means that everyone having the key can compromise your data. One key get's stolen, somehow, sometimes, somewhere. That's Murphy's law.
Or imagine that there is one user which does not encrypt with a (shared) key everyone else knows ..

What happens if you have huge amount of data (some gigs), and you need to change the encryption key ('cause of various reasons)?
It will take a long time to convert all encryptions, beside the double space you need.

ferg-o, I've no experiance with PGPDisk on shared media. Where is the driver located? Hopefuly on each client trying to use the share.
ICCP, keep in mind that you need to distribute the same software, probably same version, to each client. Some clients then can't participate 'cause there is no driver available.

Just a few of "more" problems (but not saying that it is impossible ;-)

Yep - to the server it is just another file. The individual clients run the PGPDisk software and have the PGPKeys component which looks after unlocking the encrypted file. You can choose to mount it as a directory under an NTFS architecture or make it a drive...
ICCPAuthor Commented:
Thanks to all.

Fergo got the points for depth of field experience with disk encryption.

I'm missing the magic guru who's set up disk encryption in 20 flavours at 500 sites, but am appreciative of the help offered here.  The guru may be a myth.

I suspect a full answer to "best disk encryption" would take a heavy-going comparative review.  However, we're hearing PGP from many directions.  We're reading the signs and checking it out.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.