Endpoint Encryption

We have been using PGP Desktop / Netshare to encrypt sensitive data for several years.  The volume of shared data (on an AD member server) and the number of installed desktop clients (XP/Win7) is steadily growing and we have begun to experience serious performance issues whenever we have to re-encrypt.  With close to half a Terabyte of data, re-encrypting the shared folder takes so long it has to be done overnight.   We do not have PGP Universal Server (now Symantec Encryption Management Server), although this is under consideration for next year.    As more business units realize the need for encryption, we will easily be into multiple terabytes within a couple of years.  Building on what we already have, is there a better, more efficient way to encrypt large volumes of data?   Thanks.

Im confused.

Do you decrypt the entire shared folder for the day's activities then encrypt it again when everyone is done with it?

You should be decrypting on the endpoint machine on the fly for each individual file access, unless I have misunderstood?

Alex, sorry, it appears I may have been inarticulate.  Our encrypted data resides in shared network folders; there are no PGP components installed on the host server.   We do not decrypt and encrypt the entire shared folder daily; clients who have been given rights to access an encrypted shared folder and have the PGP Desktop suite (includes Netshare) installed on their workstations can access the decrypted content of individual files as needed - or on the fly as you put it.   So far, this part has not been a problem. Where we are having difficulty is applying the public key of a new client to an encrypted folder.  This requires the entire folder to be re-encrypted and that process takes many hours to complete.  The same is true if we need to remove an existing public key when revoking access. I suspect the bulk of the processing is being done on the workstation with a corresponding increase in traffic to and from the server. 

Because the volume of data is growing rapidly (and half a TB really isn't that much these days) and the number of clients is likely to increase dramatically as other business units come on board, if we keep doing things the same way our problem can only get worse.

There must be a more efficient way for us to re-encrypt our shared folders when needed.  I mentioned that we are considering the Symantec Encryption Management Server if this will take the processing load off the endpoints.  Hope this helps clarify my original post.  Thanks.

OK, let me understand your scenario:

You have a (seemingly) public facing fileshare that is encrypted.

You add more people to it on a semi-regular basis

In order to add the keys of new users to be able to access it, you're having to re-encrypt.

Well, from my knowledge of netshare, if you add a user to an encrypted folder, it has to be re-encrypted, I cannot see a way around that.  So the next question would be do all these users need access to all the information in this share?  Can is be segregated to slow down these encryption times?

The management server does not offer a lot in terms of the NetShare product, its much more orientated around email and full disk encryption, the fileshare folder is still very much endpoint heavy.

You could install the product on the fileserver itself, which will offload processing power and will eliminate any network traffic.

You may want to consider using NetShare Group Keys:

PGP NetShare group keys. A single key that is shared by a group of users and is used to encrypt or decrypt PGP NetShare-protected files and folders. The single group key reduces the overhead associated with encrypting a file/folder to a large number of keys. Any member of the group associated with the key can access protected folders/files encrypted to that group key. Group membership for the group key is controlled by your PGP Universal Server administrator and is used with Active Directory. PGP Desktop for Windows only.

The NetShare Group Key, as described above, was designed to accomplish this.  Does it sufficiently address your concern?

Sorry for the time lag - I was enjoying a couple of days off.  The group key as described above would seem to address the need to frequently re-encrypt shared folders as project staff come and go, but I would have to see it in action to know if it solves our issue completely, and we would need the PGP Universal Server / Symantec Encryption Management Server to implement it - something we don't have at the moment, but will have to budget for next year (reading further, ADKs would also be useful in our environment...).

Having said that, even using a group key does not seem to address the textbook answer for encrypting large volumes of data efficiently.  Unless I have misunderstood, the common theme seems to be to use symmetric cryptography to protect the data while asymmetrically encrypting the shared key, something PGP NetShare apparently wasn't designed to do.

Thanks!

Unless I have misunderstood, the common theme seems to be to use symmetric cryptography to protect the data while asymmetrically encrypting the shared key, something PGP NetShare apparently wasn't designed to do.

I'm puzzled by this.  NetShare (now Symantec FileShare) continues to use public key encryption.  The data in the protected folder is symmetrically encrypted to a 256 bit AES key, and it is the symmetric AES key that is asymmetrically encrypted to the public key of each of the authorized users of that protected folder.  It is the asymmetric encryption that slows this process.  Sharing an asymmetric public/private group key is the way to mitigate the long time that would be otherwise be required to encrypt the symmetric key to a very large amount of public keys.

Tom, it appears I was labouring under a misapprehension about what was happening under the hood.  After reading your concise explanation of the encryption process I now know where I went wrong and have a much better understanding of how things actually work.  Thank you for taking an old sock back to school!  I now feel a lot more confident about the acquisition of the encryption management server and implementing group keys.