PGP Questions

Posted on 2011-04-28
Last Modified: 2012-05-11
Hello all,
I am a newbie at PGP and have a few questions and am not sure which zone to put this question under.
I know that in a HIPAA compliant environment you want to have PGP on both the client and the server in a LAN area so that communication between the client and the server is encrypted.
My questions, for a HIPAA facility, are:
1)  Does PGP create an overhead on the PCs that makes the PCs slow?
2)  I know that Symantec has PGP software.  Are there any other PGP software out there that works well?
3)  What if you have a client that just has PCs with no file server on their LAN, does PGP software work the same and is it worth it to have it on those PCs?
Kelly W.
Question by:K_Wilke
    LVL 38

    Expert Comment

    by:Rich Rumble
    PGP has a suite of encryption tools, PGP started out doing encrypted emails, PGP does not do network encryption itself, it encrypts the data in an email before being sent. Encrypted network communications are typically done via tunneling, vpn or using dedicated encryption gateways. If you send a PGP email to someone without a PGP client, they will not be able read the encrypted email. Emails can also be signed with a hash that can be used to verify if the message has been tampered with, but does not prevent anyone from reading it.
    There are other encryption suites and solutions, Cisco has an encrypted email solution that is superior to pgp in that it does not require the exchange of public keys, and it does not require an email client or 3rd party software to understand any encryption.
    Even if using whole disk encryption, if you copy a file to a server that does not have encryption the file is plain-text/not-encrypted when sent to it's destination, this also applies technically when sending between two computers that do have disk encryption... the data on the wire is plain-text, but is written to the disc as encrypted data.
    LVL 60

    Accepted Solution

    We know that for HIPPA, one of the key factor is protecting the confidentiality and integrity of users' medical information. Simply see the security mechanisms needed to guard against unauthorized access to data by requiring integrity controls and message authentication with required access controls and/or encryption. For medical data transmitted over a network (which is increasingly common), it apply similarly and needed more event reporting, audit trails, and entity authentication. With that quick brief, we can look at a snapshot of PGP (bought over by Symantec) offerings in this comparison table  


    Looking at your queries below:

    1)  Does PGP create an overhead on the PCs that makes the PCs slow?

    - The suite primarily involved encryption/decryption which you can see as additional process for data at rest, data at transit and data in progress. There will definitely be some latency for embedding security processes, but the question how impactful to business operations. I will say that crypto algo used such as AES has gone through round of debate to emerge as one of the secure and efficient mechanism widely used by most product. The performance will not be much in crypto algo but more on how the application leveraging it is coded and designed. Taking full HDD encryption as example, there is an one-off installation and encryption that would take a while depending on HDD size. There is also the implicit business impact when system crashes and needed recovery of crypto key that is backup, these add up "delays" but as a whole, if it well planned, it will be part of business continuity plans and for daily used, the crypto operation is transparent to user - they improved (or compete) on the user experience as well.


    2)  I know that Symantec has PGP software.  Are there any other PGP software out there that works well?

    - There is the well known Truecrypt that you should check out, the (probably) only major deterrence is the Enterprise support for centralised managed. If not, it has been around and fulfil the full HDD encryption, and provide portable and on the fly support. There is a file volume encryption for pre-allocated secure storage mapping so that all data reside in there (if user has discipline for that). Of course it is not that perfect since it is free source e.g. it does not perform file encryption etc.

    - Other solution you may want to explore in IT security space, you can check out the link summary. you may want to explore commercial player such as McAfee Endpoint Encryption, Check Point Full Disk Encryption and even Microsoft has Bitlocker (HDD encryption) and its EFS (file/folder encryption). But note that EFS does not protect information over network (only at endpoint), unless using WebDAV


    3)  What if you have a client that just has PCs with no file server on their LAN, does PGP software work the same and is it worth it to have it on those PCs?

    - Yes it work the same way. Endpoint go for whole harddisk encryption, and for server, it is the channel encryption and multi-user sharing that we are concern, that can be handled by NetShare and the Enterprise suite. Typically it need to be a defense in depth with layer of protection established to secure the information - hence that is why the term of data at rest, data in transit and data in progress (memory).

    Hope it helps
    LVL 6

    Author Closing Comment

    Exactly what I was looking for....thank you.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Microsoft EFS has gone through a few changes over the years, depending on the OS you're trying to recover EFS data from you may have to use different tactics. Overall however 3rd party recovery solutions like that of Passware or Elcomsoft's AEFSDR m…
    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now