SecurePC 2.0: Fast, easy, transparent

Desktop file encryption software is often a lose-lose proposition: It creates an annoying security obstacle for end users to circumvent, and it's a big headache for administrators. However, we found SecurePC 2.0 from RSA Data Security Inc. a win-win data protection solution because it is functionally transparent and easy to manage.

SecurePC is best deployed for mobile users who frequently transport sensitive files on their laptops. However, its simple, speedy symmetric-key architecture limits its scalability when it comes to sharing encrypted information within large, untrusted groups. (Think of all the passwords you would have to remember to share a large number of files with hundreds of users.) We recommend SecurePC 2.0 for organizations that worry that their users' hard drives will fall into the wrong hands but not for administrators looking for more distributed encryption solutions.

SecurePC's functionality is divided between administrator and user. First, the administrator creates policies for users to abide by as well as data recovery safeguards for users who forget their passwords. The customized user preferences then are distributed to users along with software installation executables, either via floppy disk or network share. Administrative and user installations are fast and efficient except for constant interruptions for making floppy disk backups of critical recovery information - a necessary evil to prevent irreversible data locking.

Once the software is installed, users can select from a plethora of manual and automatic file encryption options that are integrated into Microsoft Corp.'s Windows Explorer and are available by clicking the right mouse button. In addition to the context menus, users or administrators can designate AutoCrypt folders that automatically encrypt files deposited there. The folders also are protected by an idle timeout screen lock that is keyed to the same file-decryption password, and there is an optional boot protection that prevents start-up without a password. Even without boot protection enabled, SecurePC requires users to enter a global password to allow passive, automatic file decryption.

The encryption itself is fast and secure, leveraging RSA's RC4 symmetric-key algorithm at 128-bit strength to achieve a claimed throughput of more than 25M per minute on a typical 75 MHz Intel Corp. Pentium PC. We saw tolerable one- or two-second delays between encryption and decryption on a Pentium II system. SecurePC also allows for data recovery because the administrator can configure the distributed software to allow decryption by a user-defined "threshold" number of trustees, each with unique passwords.

The strongest feature of SecurePC is its transparency, but this can be a double-edged sword. While opening encrypted files was virtually the same as before SecurePC was installed, sharing these files with other users over a network was too unfettered. SecurePC does not differentiate between applications accessing the encrypted file locally or from a remote machine, even though the remote machine may lack the encryption key. The documentation notes this limitation and states that SecurePC's shared passphrase technique should be used when others need to read your encrypted data. This allows a user to set a file-decryption password, which must be sent out-of-band to the recipient of an encrypted file. The recipient must use SecurePC to decrypt the file, or senders may optionally elect to make the file apassword-protected, self-decrypting Windows executable. Commercial and free implementations of the Pretty Good Privacy public key-based encryption schemes offer more elegant ways to share encrypted data with the added validation of digital signatures, but they generally lack the speed and simplicity of symmetric-key solutions such as SecurePC.

Other minor annoyances included the lack of read-only access bits set on encrypted files, the inability to encrypt and decrypt remote files and folders unless they were mapped to a network drive, and infrequent runtime errors in Windows Explorer following heavy encryption and decryption activity.

-- Scambray analyzes computer security products for InfoWorld and co-writes a weekly security column, "Security Watch," at www.infoworld.com/security.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.