SecurePC 2.0: Fast, easy, transparent

Desktop file encryption software is often a lose-lose proposition: It creates an annoying security obstacle for end users to circumvent, and it's a big headache for administrators. However, we found SecurePC 2.0 from RSA Data Security Inc. a win-win data protection solution because it is functionally transparent and easy to manage.

SecurePC is best deployed for mobile users who frequently transport sensitive files on their laptops. However, its simple, speedy symmetric-key architecture limits its scalability when it comes to sharing encrypted information within large, untrusted groups. (Think of all the passwords you would have to remember to share a large number of files with hundreds of users.) We recommend SecurePC 2.0 for organizations that worry that their users' hard drives will fall into the wrong hands but not for administrators looking for more distributed encryption solutions.

SecurePC's functionality is divided between administrator and user. First, the administrator creates policies for users to abide by as well as data recovery safeguards for users who forget their passwords. The customized user preferences then are distributed to users along with software installation executables, either via floppy disk or network share. Administrative and user installations are fast and efficient except for constant interruptions for making floppy disk backups of critical recovery information - a necessary evil to prevent irreversible data locking.

Once the software is installed, users can select from a plethora of manual and automatic file encryption options that are integrated into Microsoft Corp.'s Windows Explorer and are available by clicking the right mouse button. In addition to the context menus, users or administrators can designate AutoCrypt folders that automatically encrypt files deposited there. The folders also are protected by an idle timeout screen lock that is keyed to the same file-decryption password, and there is an optional boot protection that prevents start-up without a password. Even without boot protection enabled, SecurePC requires users to enter a global password to allow passive, automatic file decryption.

The encryption itself is fast and secure, leveraging RSA's RC4 symmetric-key algorithm at 128-bit strength to achieve a claimed throughput of more than 25M per minute on a typical 75 MHz Intel Corp. Pentium PC. We saw tolerable one- or two-second delays between encryption and decryption on a Pentium II system. SecurePC also allows for data recovery because the administrator can configure the distributed software to allow decryption by a user-defined "threshold" number of trustees, each with unique passwords.

The strongest feature of SecurePC is its transparency, but this can be a double-edged sword. While opening encrypted files was virtually the same as before SecurePC was installed, sharing these files with other users over a network was too unfettered. SecurePC does not differentiate between applications accessing the encrypted file locally or from a remote machine, even though the remote machine may lack the encryption key. The documentation notes this limitation and states that SecurePC's shared passphrase technique should be used when others need to read your encrypted data. This allows a user to set a file-decryption password, which must be sent out-of-band to the recipient of an encrypted file. The recipient must use SecurePC to decrypt the file, or senders may optionally elect to make the file apassword-protected, self-decrypting Windows executable. Commercial and free implementations of the Pretty Good Privacy public key-based encryption schemes offer more elegant ways to share encrypted data with the added validation of digital signatures, but they generally lack the speed and simplicity of symmetric-key solutions such as SecurePC.

Other minor annoyances included the lack of read-only access bits set on encrypted files, the inability to encrypt and decrypt remote files and folders unless they were mapped to a network drive, and infrequent runtime errors in Windows Explorer following heavy encryption and decryption activity.

-- Scambray analyzes computer security products for InfoWorld and co-writes a weekly security column, "Security Watch," at www.infoworld.com/security.