Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Encrypting Large Volume of Data

Created: 24 Jul 2013 • Updated: 31 Jul 2013 | 8 comments
This issue has been solved. See solution.

We have been using PGP Desktop / Netshare to encrypt sensitive data for several years.  The volume of shared data (on an AD member server) and the number of installed desktop clients (XP/Win7) is steadily growing and we have begun to experience serious performance issues whenever we have to re-encrypt.  With close to half a Terabyte of data, re-encrypting the shared folder takes so long it has to be done overnight.   We do not have PGP Universal Server (now Symantec Encryption Management Server), although this is under consideration for next year.    As more business units realize the need for encryption, we will easily be into multiple terabytes within a couple of years.  Building on what we already have, is there a better, more efficient way to encrypt large volumes of data?   Thanks.

Operating Systems:

Comments 8 CommentsJump to latest comment

Alex_CST's picture

Im confused.

 

Do you decrypt the entire shared folder for the day's activities then encrypt it again when everyone is done with it?

You should be decrypting on the endpoint machine on the fly for each individual file access, unless I have misunderstood?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

CISSPGraeme's picture

Alex, sorry, it appears I may have been inarticulate.  Our encrypted data resides in shared network folders; there are no PGP components installed on the host server.   We do not decrypt and encrypt the entire shared folder daily; clients who have been given rights to access an encrypted shared folder and have the PGP Desktop suite (includes Netshare) installed on their workstations can access the decrypted content of individual files as needed - or on the fly as you put it.   So far, this part has not been a problem. Where we are having difficulty is applying the public key of a new client to an encrypted folder.  This requires the entire folder to be re-encrypted and that process takes many hours to complete.  The same is true if we need to remove an existing public key when revoking access. I suspect the bulk of the processing is being done on the workstation with a corresponding increase in traffic to and from the server. 

Because the volume of data is growing rapidly (and half a TB really isn't that much these days) and the number of clients is likely to increase dramatically as other business units come on board, if we keep doing things the same way our problem can only get worse.

There must be a more efficient way for us to re-encrypt our shared folders when needed.  I mentioned that we are considering the Symantec Encryption Management Server if this will take the processing load off the endpoints.  Hope this helps clarify my original post.  Thanks.

Alex_CST's picture

OK, let me understand your scenario:

 

You have a (seemingly) public facing fileshare that is encrypted.

You add more people to it on a semi-regular basis

In order to add the keys of new users to be able to access it, you're having to re-encrypt.

 

Well, from my knowledge of netshare, if you add a user to an encrypted folder, it has to be re-encrypted, I cannot see a way around that.  So the next question would be do all these users need access to all the information in this share?  Can is be segregated to slow down these encryption times?

The management server does not offer a lot in terms of the NetShare product, its much more orientated around email and full disk encryption, the fileshare folder is still very much endpoint heavy.

 

You could install the product on the fileserver itself, which will offload processing power and will eliminate any network traffic.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

Tom Mc's picture

You may want to consider using NetShare Group Keys:

PGP NetShare group keys. A single key that is shared by a group of users and is used to encrypt or decrypt PGP NetShare-protected files and folders. The single group key reduces the overhead associated with encrypting a file/folder to a large number of keys. Any member of the group associated with the key can access protected folders/files encrypted to that group key. Group membership for the group key is controlled by your PGP Universal Server administrator and is used with Active Directory. PGP Desktop for Windows only.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Tom Mc's picture

The NetShare Group Key, as described above, was designed to accomplish this.  Does it sufficiently address your concern?

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

CISSPGraeme's picture

Sorry for the time lag - I was enjoying a couple of days off.  The group key as described above would seem to address the need to frequently re-encrypt shared folders as project staff come and go, but I would have to see it in action to know if it solves our issue completely, and we would need the PGP Universal Server / Symantec Encryption Management Server to implement it - something we don't have at the moment, but will have to budget for next year (reading further, ADKs would also be useful in our environment...).

Having said that, even using a group key does not seem to address the textbook answer for encrypting large volumes of data efficiently.  Unless I have misunderstood, the common theme seems to be to use symmetric cryptography to protect the data while asymmetrically encrypting the shared key, something PGP NetShare apparently wasn't designed to do.

Thanks!

Tom Mc's picture

Unless I have misunderstood, the common theme seems to be to use symmetric cryptography to protect the data while asymmetrically encrypting the shared key, something PGP NetShare apparently wasn't designed to do.

I'm puzzled by this.  NetShare (now Symantec FileShare) continues to use public key encryption.  The data in the protected folder is symmetrically encrypted to a 256 bit AES key, and it is the symmetric AES key that is asymmetrically encrypted to the public key of each of the authorized users of that protected folder.  It is the asymmetric encryption that slows this process.  Sharing an asymmetric public/private group key is the way to mitigate the long time that would be otherwise be required to encrypt the symmetric key to a very large amount of public keys.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

SOLUTION
CISSPGraeme's picture

Tom, it appears I was labouring under a misapprehension about what was happening under the hood.  After reading your concise explanation of the encryption process I now know where I went wrong and have a much better understanding of how things actually work.  Thank you for taking an old sock back to school!  I now feel a lot more confident about the acquisition of the encryption management server and implementing group keys.