Network Computingwww.networkcomputing.com

The most interesting security administration feature in SecurPC is both distinctive and powerful: emergency unlock software, which requires several different users to provide keys for emergency decryption. It is a strong solution for situations where data is too valuable to risk losing to a forgotten password, for example and too sensitive to entrust to a single emergency key holder. Specifically, the product lets the security administrator split emergency decryption authority among up to 255 trustees. And the administrator determines the threshold number of trustees (for example, any three out of seven) that must enter their passwords and key disks to decrypt a user's files.

The other feature that impressed us was SecurPC's ability to produce self-decrypting executables. This feature, which has been in the SecurPC product for some time, also has been included in recent product releases from Data Fellows, McAfee and Software Shelf (though at the time of this writing only in the European edition of Software Shelf's CONFIDENTIAL). It lets the user send an executable file as an e-mail attachment, so the recipient doesn't have to have the encryption application to decrypt the file; the receiver merely double-clicks on the file and enters the password.

Unfortunately, the product does require you to decrypt data on the drive before you work on it, so SecurPC is less convenient and, arguably, less secure than products like EMD's Armor 97 and Jetico's BestCrypt. SecurPC relies on users to manually reencrypt sensitive data or shut down their machines when the y aren't being used. It lacks some of the adva nced administrative features of Symantec's product and does not contain other bells and whistles in the form of boot-locking, screen-locking or support for multiple user accounts.

Although some of the features of Jetico's and Symantec's products highlight areas where SecurPC could be improved, none of the other products we tested offer RSA's combination of convenience and versatility.

Jetico BestCrypt NP for Windows95
This product stands out for two reasons. First, data on the disk is encrypted at all times, and encryption and decryption are performed on the fly as writes to and from the disk are performed. EMD's Armor 97 was the only other product tested that offered similar functionality. Second, the user password times-out on BestCrypt NP based on keyboard or mouse inactivity, so the user is not inconvenienced by having to continually re-enter passwords. While BestCrypt NP takes no pr izes for administrative features, if you want to provide easy-to-use encryption to a few executives or you have very high security requirements, this product is worth a serious look.

BestCrypt NP stores encrypted data in files, called containers. After double-clicking on a container, the user is prompted for a password. If that password is correct, a virtual drive appears in the Windows Explorer that contains the protected files and folders (it looks like a regular mapped drive). Once the virtual drive is mounted, it behaves like any other drive as far as the user is concerned.

However, as soon as the virtual drive is dismounted, the data is no longer accessible; it is stored in the container file using one of three strong encryption algorithms--128-bit Blowfish, Data Encryption Standard (DES) or the Russian military encryption algorithm GOST. The container approach means encrypted data is readily stored on a network server and easily can be backed up. We compare this favorably with the enc rypted fold er approach taken by EMD in Armor 97, which means that unencrypted files get backed up, the backup application sees the encrypted folder as a regular folder and reads the data into memory--decrypting as it goes--and stores the unencrypted data in the backup file.

BestCrypt NP comes with a secure wiping application, so that after setting up the encrypted storage and moving clear-text files from their old folders, you can erase the remnants of those files from your local drive. If you're very security-conscious, you also can consider the Windows virtual memory swap space and perform regular wipes of the Windows directory or disable virtual memory. You can do that from the performance tab of system-properties after right-clicking on My Computer. But make sure you understand the consequences.