On Thu, 20 Aug 1998 03:08:17 GMT Bill Roberts wrote:

I was wondering what the difference between Norton's For Your Eyes only, and PGP Disk is (other than the use of the PGP algorithms, that is). The advertising says that you can encrypt a whole disk at one swell foop. But can you do a just one directory. The thing I like about FYEO is that once you sign on, you can access the encrypted files without having to enter your password each time. Is PGP Disk the same, or do I have to enter the password each time I want to access the file? What do I gain from PGP Disk that I don't have with standard PGP?

First, PGP does not use "the PGP algorithms." The only thing it has in common with the version of PGP you're now using is that it's sold by the same company, i.e., Network Associates, Inc. The use of the PGP trademark is simply a marketing ploy, at which NAI excels.

Second, PGPdisk isn't really designed for encrypting single files. Unlike PGP for Personal Privacy, which is a public-key encryption system designed primarily for e-mail, and Your Eyes Only, which is a public-key encryption system intended mainly for use on selected files and folders, PGPdisk is a conventional encryption package better suited for encrypting large quantities of data en masse. It does this by allowing you to create encrypted container files of any size up to your available disk space.

Each container can house any number of individual files or directories. When you mount this file with PGPdisk and the correct passphrase, the file is mapped to a vacant drive letter as a virtual drive, and you can then access all the container's files as if they were unencrypted files on a physical drive. When you dismount the container the encryption- decryption process stops, the virtual drive disappears, and you are left once again with a single large encrypted file that reveals nothing of its contents.

This container-file concept is also used by ScramDisk and BestCrypt NP, the leading alternatives to PGPdisk.

Your inquiry suggests that you may not be familiar with these products, so here's a brief description of them and a very subjective comparison to the package you're now using.

Comparing BestCrypt and PGPdisk -------------------------------

PGPdisk looks and works much like BestCrypt, though its user interface is simpler and it costs less than half the price of BestCrypt. PGPdisk uses the CAST encryption algorithm; BestCrypt offers a choice of Blowfish and GOST, the former Soviet government's equivalent of DES.

PGPdisk allows container files (from which the virtual drives are created) to be hidden in any directory; BestCrypt requires them to be in a root directory where they could be more easily spotted.

Neither PGPdisk nor BestCrypt's source code have been revealed to the public, so they could contain back doors or weaknesses that would not be apparent to an end-user.

PGPdisk is produced by a large company (Network Associates) that has a poor reputation for supporting its products. BestCrypt is produced by a small Finnish company (Jetico) that seems more responsive to its customers.

BestCrypt is downloadable trialware that you can evaluate free for 30 days. PGPdisk is available only for purchase, either from retailers or direct from Network Associates.

At release level 4.1x, BestCrypt is a mature product and its developers have been admirably aggressive in fixing bugs and providing easy access to upgrades via the Net.

At release level 1.0, PGPdisk is a new product and probably has a few bugs, and I've noticed a few minor ones already. If past history is any indicator, upgrades may be difficult to obtain given Network Associates' apparent disdain for customer service.

ScramDisk vs. BestCrypt & PGPdisk ---------------------------------

IMHO, BestCrypt and PGPdisk's method for opening encrypted container files is simpler, faster, and more elegant than the method used by ScramDisk. However, ScramDisk is a work in progress, and its user interface will undoubtedly improve.

Only ScramDisk's source code is publicly available and thus only its strengths and weaknesses can readily be analyzed and debated by the knowledgeable community of experts who frequent this newsgroup.

Only ScramDisk's design allows multiple encryption algorithms to be added.

Only ScramDisk is free.

----

In actual use, BestCrypt, PGPdisk, and ScramDisk work much the same. First you create and initialize an encrypted container file of sufficient size to hold the files you want to protect. Then you move the files into the container, thereby encrypting them automatically.

One advantage of the container method is that the names of the individual files and folders in the container are not visible until the container is opened with the correct passphrase.

Your Eyes Only doesn't use container files. It encrypts files and folders directly, and this allows anyone to see the names of the encrypted files even when they can't decrypt them. This in itself could lessen security by giving those who are not privy to the information clues as to what the information is.

Another weakness is YEO's key recovery system that allows system administrators to decrypt supposedly "secure" information. I haven't investigated the details of YEO's key-recovery process, but the mere presence of this capability should always raise concerns when maximum security is desired.

---

A disadvantage of the container system is the increased risk of losing large quantities of data due to relatively minor corruption in the container. With YEO's file-based encryption, a corruption in one file will not affect other files. A glitch in a critical part of a container file may render its entire contents unreadable.

Changing the passphrase on a container is also a more daunting prospect. PGPdisk doesn't allow this at all, forcing you instead to create a new container with a new passphrase to which you can then move your old files. While less convenient, this process is far safer than reencrypting the data in-place, as BestCrypt allows. If in-place reencryption is interrupted, perhaps by a power failure, the container may be corrupted beyond repair. This happened to me once, and though BestCrypt is now more robust in this regard, I still consider it risky.

In its latest release, ScramDisk strikes a middle ground by allowing you to change the passphrase for a container without reencrypting the data. While more convenient, this may be less secure, though I understand that a future release will provide reencryption capability.

Your Eyes Only vs. BestCrypt/PGPdisk/Scramdisk ----------------------------------------------

Your Eyes Only offers much the same functionality as the container-based programs I've discussed, but it's more complicated to use because of its orientation toward a multi-user business environment. YEO's public-key encryption system allows anyone to encrypt files for the enterprise without necessarily giving them the keys to decrypt anything. Thus, each encryption cycle may require two separate keys.

IMHO, most people have no need for this level of complexity on their home computers, making BestCrypt, PGPdisk, and ScramDisk better choices because of their transparency and ease of use.

Bottom Line -----------

PGPdisk's main advantage is simplicity and low price, but it comes from Network Associates, which for many of us is all we need to know <g . ScramDisk is free but its user interface is not (yet) as refined as the commercial products I've discussed. BestCrypt has a good track record, but it's pricey. All three products use strong encryption algorithms, though only ScramDisk's implementation of these algorithms can be publicly vetted.

And as for Your Eyes Only, I think it's better suited for corporate customers than home users. And frankly, I'd have a hard time trusting YEO given Symantec's history of releasing products with rather weak encryption. It's good that Symantec is finally offering Blowfish as an alternative to the DES algorithm they've relied on in the past, but I wouldn't be surprised if their implementation of Blowfish hasn't been compromised in some way, just as they watered down their implementation of DES by making only a single pass through the data rather than the recommended triple-chain. But that's just my opinion, as is everything else in this post. :)

For more info/downloads: