Desktop encryption made simple
GCN Lab Review | FIPS-certified products help protect data at rest and in transit
Recent high-profile data losses have again raised awareness of the need for encryption in government offices. In a perfect world, every file would be encrypted, and only those authorized to view data would be able to see it. But in real life, encryption takes a robust infrastructure and scales up in price as the number of users increases.
Trying to send files securely opens up yet another can of worms that can be hard for network administrators to put a lid on. It's no wonder important data is often left in the clear.
Tutarus Corp. has, in two complementary products, a solution to address this problem. The first is called SRKFile Desktop, which enables local file encryption without the need for special folders or procedures. The second is called SeraMail Desktop, which automates sending encrypted files or helps protect them at rest. They don't need a certificate or authority server to work, nor do they require users to share passwords.
While an agency would purchase the products separately, the GCN Lab reviewed them together. If you're worried only about local security, though, say on your fleet of notebook PCs, you could get away with just SRKFile, which runs $50 per seat.
We installed SRKFile Desktop on several systems in the lab. Systems had to be running Windows 2000 Professional, XP Home or XP Pro with Service Pack 2. Once installed, SRKFile becomes an option under your Windows Explorer menu. Right-click on any file on your desktop and select the SRKFile Encrypt command. This will lock down the file using FIPS 140-2-certified, 256-bit encryption. The file's icon will change to a little shield to remind you that the file is locked, and no one can open it without the password.
If you need to move files around or share them with other users, though, SRKFile won't help much. That's where SeraMail comes in. SeraMail shares the same easy-to-use interface as SRKFile. The program adds an option to Microsoft Outlook (Version 2002 or higher) and exists independently of the mail server.
When you encrypt a document using SeraMail, there are a couple of extra steps. You need to establish what the program calls a 'relationship' with other users authorized to view the document. When you do this with a new user, your version of SeraMail will perform a handshake with that user. The partnership is then established and will let the two programs generate a unique reference number (which is a random key) between the two devices. Your personal information is not shared with the other device, and you don't get to see theirs. Obviously, both people must have SeraMail running on their systems, so you will need to buy a seat for each user who needs to share encrypted files.
In the GCN Lab, the process worked as advertised. When we sent an encrypted file to a user authorized to see it using SeraMail, the recipient was able to decrypt the file without knowing the password.
What if an authorized recipient's system is stolen or compromised? The file is still encrypted and worthless to the thief. To decrypt it, the receiver needs to enter their personal password, just as when decrypting a file with SRKFile. The fact that an authorized device received the file only gives the end user the right to request that the file be decrypted. Because they're using their own password, they don't need to know the sender's password or use any sort of authentication server. Everything runs from the desktop. You don't even have to e-mail files. They can be dropped onto a File Transfer Protocol site. But you need Outlook to confirm the relationship between the two systems.
If you are worried about nongovernment and overseas users getting their hands on the encryption engine, fear not. Although the product is sold to the public, the public version uses the SRKCrypto encryption engine, while the government version uses a separate engine called Trakron (both are FIPS certified). One engine can not decrypt files created by the other.
Both SRKFile and SeraMail can lock down important files with near unbreakable encryption. And because they do it in a straightforward manner, agencies can employ them fairly easily for OMB-mandated data protection.