Encryption algorithms used by PGP Encryption Desktop and PGP Encryption Server and Symantec Endpoint Encryption
search cancel

Encryption algorithms used by PGP Encryption Desktop and PGP Encryption Server and Symantec Endpoint Encryption

book

Article ID: 180748

calendar_today

Updated On:

Products

Drive Encryption PGP Command Line Endpoint Encryption Encryption Management Server File Share Encryption Gateway Email Encryption Desktop Email Encryption PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

 

This article outlines the Encryption algorithms used by the following products:

*PGP Encryption Desktop
(File Share Encryption, File Encryption, Email Encryption, Virtual Disk - Symantec Encryption Desktop)

*PGP Encryption Server (Symantec Encryption Management Server)

PGP Command Line

Symantec Endpoint Encryption Client
(SEE Client)

Resolution

PGP versions 10.5 and above, as well as Symantec Endpoint Encryption 11.3.1 and above, use at least AES256 using CBC as the default cipher for Drive Encryption, although AES128 is available if needed.  The hashing algorithm is SHA256.  

See the SED 10.5.1 Users guide for details on this.

The Symantec Endpoint Encryption documentation also discusses this.


Memory Locking Facility:
When PGP Encryption Desktop Drive Encryption is used for machines, the sectors will be encrypted.  When the system is authenticated at preboot, the data written to these sectors can be accessed on the fly.

When the data is accessed, there is a memory locking facility that is running behind the scenes that will ensure all encryption keys are stored encrypted and not accessible.

Randomness of PGP Key Data: PGP Keys are generated using proprietary algorithms to ensure that every key that is generated is unique.  
When a PGP Key is generated, you can check the thumbprint or Key ID to view the uniqueness of the key. 

PGP Encoding Methods
All of the PGP Encryption solutions use OpenPGP standards for encryption.  The encoding methods are PGP/MIME, PGP Partitioned, and PGP-EML. 

This makes PGP Encryption solutions widely compatible with most other solutions that use PGP for maximum interoperability.

PGP Encryption Desktop (Symantec Encryption Desktop) and PGP Command Line use PGP Keys and have the capability to use AES256 for encryption should the recipient support this.  PGP Encryption Desktop will always encrypt to the preferred algorithms specified on the key for backwards compatibility.  For example, multiple encryption algorithms are available such as  AES, CAST, TripleDES, IDEA or Twofish with supported hashes of SHA-2-256, SHA-2-384, SHA-2-512, RIPEMD-160 or SHA-1.  Because of this, we always recommend using the latest keys that supported the strongest ciphers so the older ciphers will never get used.

Keys Generated by the PGP Encryption Server (Symantec Encryption Management Server) also apply with the above standards.

Similar to all the attributes of PGP Keys for the PGP Encryption Desktop and PGP Command Line Products, the PGP Server generates keys with all the capabilities of the highest algorithms available. A key generated on the PGP Server by default will have all these attributes. 

In the screenshot below, a PGP Key was generated on the PGP Encryption Server, and then imported into PGP Command Line to view all the key details and attributes (As of version 10.5):

As can be seen above, all the latest ciphers and hashes are available for PGP Key encryption by default.

Symantec Endpoint Encryption Removable Media Encryption (RME) uses AES256 with a 256-bit key.

Both PGP Encryption Desktop 10 and Symantec Endpoint Encryption 11 are NIST certified, which comply with current NIST requirements including strong ciphers for encryption. See the following articles for information on this:

Symantec Encryption Desktop NIST Certification.

Symantec Endpoint Encryption NIST Certification


PGP Encryption Desktop 10.4.2 and above also use AES256 for file encryption as well as Symantec File Share Encryption.


Additional information for PGP Encryption Desktop to determine which algorithm is being used
To find out which algorithm was used on a machine that was PGP Whole Disk encrypted, the pgpwde utility must be used via the command line.

First, navigate to the proper directory:
C:\Program Files\PGP Corporation\PGP Desktop>

If using a 64-bit operating system, the proper directory is:
C:\Program Files <x86>\PGP Corporation\PGP Desktop>


Then run the following command:

pgpwde --status --disk 0 --xml --passphrase "passphrase here".  The following output will appear:

<?xml version="1.0"?>
<pgpwde version="1.0">
  <diskstatus>
    <id>0</id>
    <instrumented>true</instrumented>
    <encryptionprocess>
      <running>false</running>
    </encryptionprocess>
    <sessionkeys>
      <currentkey valid="true" alg="9"/>
      <oldkey valid="false" alg="9"/>
    </sessionkeys>
    <volumes>
      <volume>
        <sectors total="625137664"/>
        <watermark high="625137664"/>
        <id>C</id>
      </volume>
    </volumes>
    <scheme>Partition</scheme>
    <auth>
      <lockout enabled="true"/>
      <failures max="7"/>
      <wdrt used="false"/>
    </auth>
  </diskstatus>
  <version>10.1.2 (Build 50).50</version>
  <timestamp>Mon Nov 14 12:27:24 2011</timestamp>
</pgpwde>


The section "currentkey valid="true" alg="9"/>" lists 9 as the current algorithm.

Alg: 9 corresponds to AES-256.
Alg: 7 corresponds to AES-128.


Note:
Older versions of PGP Encryption Desktop used PlumbCFB so to take advantage of the current standards, ensure you are running the latest version of these encryption products. 

PGP Encryption products version 10.4 and above are recommended. 

SEE 12 is now available and should be used in favor of older versions.  However; Symantec Endpoint Encryption 11.3.1 and above are recommended as a minimum. 


PGP Key Encryption
All of the above algorithms are generally talking about Drive Encryption technologies and there are other encryption and hashing algorithms used by PGP key for file and email encryption.

PGP Encryption Desktop uses encryption and hashing algorithms that are considered safe and secure. 
Caution: Not all third-party encryption software ensures this is done.  From time to time older encryption and hashing algorithms may be used by third-party vendors and this is typically due to using outdated software.  Symantec recommends using PGP products for both encryption and decryption for best security and compatibility.

Always staying on the latest versions of software is recommended so that you continue to use safe and secure encryption and hashing algorithms.  When encryption incompatibilities occur, it's typically due to using these older algorithms mentioned above.  We list the below algorithms for convenience for our latest version of PGP Encryption Desktop 10.5 and above:

Supported Ciphers
AES-256 (Recommended)
AES-192 (Recommended)
AES-128 (Recommended)
TripleDES
CAST
IDEA
Twofish

Supported Hashing Algorithms
SHA-2 (256 bits - Recommended)
SHA-2 (384 bits - Recommended)
SHA-2 (512 bits - Recommended)
SHA-1 (not enabled by default)
RIPEMD-160 (Not enabled by default, not recommended, but available for backward compatibility)
MD5 (Fully deprecated, but available for backward compatibility)

Note: It is never recommended to use DES or MD5 or below and 3DES is generally not recommended at this point. It is advised to disable these algorithms and hashes from the key properties to allow for best compatibility and security for current-generation Encryption products. Reach out to Symantec Encryption Support for further guidance.

 

Symantec Endpoint Encryption Database:

Symantec Encryption solutions offer a vast array of encryption options.  One such option is for Drive Encryption where the entire hard drive is encrypted.  Recovery Keys are available in case a user is unable to unlock with their password.  Recovery Keys are stored in the database for Symantec Endpoint Encryption and this is done securely.  These recovery keys are stored encrypted at rest and can be viewed only via a proprietary operation available via the Helpdesk Recovery portal by Help Desk administrators specifically designated for access with proper authentication.   Strong, Best-of-Class encryption is being used with asymmetric key encryption that is unique to each SEE Management Server installation to ensure highest security when working with recovery scenarios.    For more information on the Helpdesk Recovery, see our online help file

Additional Information

Historical Information for EOS Symantec Endpoint Encryption 8.x:

Symantec Endpoint Encryption 8.x also used strong encryption strength to product endpoints data at rest.   Although this version is no longer supported, it continues to be a strong application to secure devices.  From the SEE 8.x Installation Guide:

Either 128-bit or 256-bit AES encryption strength was allowed for Drive Encryption.

 

Keywords:
Symantec Encryption Algorithms
PGP Encryption Algorithms
PGP Encryption ciphers