Symantec Endpoint Encryption

Symantec Endpoint Encryption is a centrally managed software-based platform (with support for Active Directory and now eDirectory) that enables the automated encryption of data on endpoint machines; specifically, on the endpoint's hard drive or removable storage attached to the drive. Three versions of the product are offered: Endpoint Encryption--Removable Storage Edition, which focuses only on the encryption of files on removable disks attached to the workstation (USB drives, FireWire, Flash, etc.); Endpoint Encryption--Full Disk Edition, which encrypts the entire disk of Windows workstations (2000/XP/Vista); and the base Symantec Endpoint Encryption offering which combines both of the other two.

Encryption is transparent to the end user, with data being silently encrypted/decrypted as it is read from/written to the drives and with "minimal performance impact" according to the vendor. The Full Disk Edition features support for pre-boot authentication (password or Smart Card) and audit logging, as well as single sign-on to the network domain; i.e., in order to access the data encrypted on the drives users must supply a password as the system is booting up. Multiple users and administrators are supported on each individual machine.

The vendor states that multiple encryption algorithms are supported, including AES-256, and that central policies can be created and enforced on the endpoints. The FIPS 140-2 certified platform itself consists of a central management server (Windows 2003 with .NET 2 and IIS6/ASP.NET) and individual clients that are loaded on the Windows endpoints (2000/XP/Vista).

Other features include support for a "Kiosk" mode, where pre-registration is not required; and a key sharing mechanism that allows for the sharing of access to data files.

New features in the latest product release include support for a larger number of clients, including Novell eDirectory users and non-domain clients; obfuscation of encryption keys stored in DRAM to prevent the reading of the keys via cold-reboot tactics; enhancements to the product's disk recovery utility, allowing admins to repair encrypted drives with corrupt OS or file systems; and support for the creation/use of self-extracting archives.

Symantec Endpoint Encryption is available now; MSRP for the full version (both Removable Storage and Full Disk Encryption) starts at $110/seat.

Contact the vendor for further information.