Charging device 

Quick selection guide (download programs for encrypting files and folders). Limitations when using the Bitlocker program. Ways to protect data from unauthorized access


Nowadays, small businesses often neglect information security. Large corporations, as a rule, have their own IT departments, powerful technical support and advanced hardware.

Small companies typically rely on consumer software, which can have significant data security flaws. However, information in small organizations is also very important and needs to be fully protected.

Data encryption– an excellent tool for maintaining the safety of valuable information when transmitting data over the Internet, backing up on cloud servers, or when storing information on a laptop that is about to be checked at the airport.

Data encryption prevents anyone other than you and your legal representative from viewing sensitive information. Most programs used in offices and home computers have built-in tools for data encryption. In this article we will look at where to find them and how to use them.

A little about passwords

Any discussion of encryption methods should begin with a completely different topic - password complexity. Most data encryption methods require you to enter a password for subsequent encryption and decryption when viewed again. If you use a weak password, an attacker will be able to guess it and decrypt the file, which will defeat the whole purpose of encryption.

A complex password should be at least 10 characters long, 12 characters is much better. It must include a random sequence of uppercase letters, lowercase letters, numbers and symbols. If you find it more convenient to remember letters, use a password of 20 characters or more, and it will be secure in this case.

If you are not sure about the security of your password, use the Secure Password Check online utility from Kaspersky to check.

Full logical drive encryption

Majority Windows users Protect your account with a password. This action will not protect your data if your computer is stolen or hard drive. An attacker will be able to directly access the data on the hard drive through another OS. If you store a large amount of important confidential data, it is best to use full disk encryption to protect against device theft.

Microsoft's BitLocker tool makes it very easy to encrypt an entire hard drive if two conditions are met:

1. You are an Ultimate or Enterprise license holder Windows systems 7 or Vista or Pro or Enterprise licenses in the case of Windows 8

2. Your computer is equipped with a TRM (Trusted Platform Module) chip - a special cryptoprocessor containing cryptographic keys for protection

To check for TRM, run BitLocker. Windows will automatically inform you if this module is missing when you try to enable encryption. To activate BitLocker follow Control Panel -> System and Security -> BitLocker Drive Encryption or search for "Bitlocker" on Windows 8.

From the Bitlocker main menu, select the “Enable BitLocker” option next to the drive you want to encrypt. If your PC does not meet BitLocker requirements, you can still use programs or DiskCryptor to encrypt entire partitions (more information about encryption methods using TrueCrypt can be found in the second part of the article).

Encrypt external hard drives and USB drives

To fully encrypt flash drives and portable hard drives, you can use the Bitlocker To Go tool, which is specially designed for portable devices. To work, you also need Pro and Enterprise licenses of the operating system, but the TRM module is no longer required.

To successfully perform encryption, simply insert the device, go to the BitLocker menu and at the bottom of the window, select the “Enable BitLocker” option next to the icon of the desired storage medium.

Internet traffic encryption

Sometimes you need to encrypt incoming and outgoing Internet traffic. If you are working using an unsafe wireless connection Wi-Fi (for example at an airport), an attacker can intercept confidential data from your laptop. To prevent this possibility, you can use encryption using VPN technology.

A virtual private network creates a secure “tunnel” between your computer and a secure third-party server. Data passing through this “tunnel” (both outgoing and incoming information) is encrypted, which will make it secure even if intercepted.

Available now a large number of VPN networks with a small monthly fee for use (for example, Comodo TrustConnect or CyberGhost VPN). You can also set up your own private network for personal or business needs. Selection process and VPN settings quite lengthy, we will not dwell on it in more detail.

Encrypting data on cloud servers, such as Dropbox

If you use Dropbox or SugarSync, we hasten to please you - these services have built-in tools for automatically encrypting data to protect it while moving or storing on servers. Unfortunately, these services also contain keys for decrypting data; this necessity is dictated by law.

If you store confidential information in online services, use an additional layer of encryption to protect your data from prying eyes. Most effective method is to use TrueCrypt to create an encrypted volume directly inside your Dropbox account.

If you want to access data from other computers, simply download the portable version of TrueCrypt to your Dropbox storage. For these purposes, when installing the TrueCrypt program menu, select the “Extract” option and specify the location in your online storage.

Based on materials from the PCWorld Internet portal

How to encrypt any data. Part 2...

Found a typo? Highlight and press Ctrl + Enter

Currently, guarantee the safety of corporate or user information on various postal services, personal computers and cloud storage almost impossible. Mail can be hacked, information from your computer or from the computer of colleagues can be copied by company employees and used for their own purposes. Is there a way to protect information? Currently, no company provides a 100% guarantee of data protection, so good step in the direction of saving your data, of course, you can. Encryption is commonly used to protect data.

Encryption can be symmetric or asymmetric, the only difference is the number of keys used for encryption and decryption. Symmetric encryption uses a single key to encode and decode information. Laws Russian Federation without licensing your activities, you are allowed to use a symmetric key of length
no more than 56 bits. Asymmetric encryption uses two keys: one key for encoding (public) and one for decoding
(closed). For asymmetric encryption, the laws of the Russian Federation, depending on the algorithms, allow a maximum key length of 256 bits.
Let's look at some devices for protecting information on removable devices.
drives:

  1. DatAshur from the British company iStorage is a flash drive with buttons on the body. The device performs hardware encryption using the symmetric AES256 algorithm. You have 10 attempts to enter the PIN code; if entered incorrectly, the data on the device will be
    destroyed. The device includes a battery for entering the PIN code before connecting to the PC.
    Advantages: durable housing, PIN code brute force protection, data destruction.
    Flaws: it is not clear what will happen if the battery runs out; You can try to guess the PIN code from worn buttons or simply delete all the competitor’s data and remain unnoticed, and this, in my opinion, is potentially more harmful than copying the data by a competitor (although it is possible to make protection).
  2. Samurai is a Moscow company, I assume that they work in collaboration with iStorage or their distributors, but also make their own products, for example Samurai Nano Drive. Use 256 bit encryption, release various devices, aimed largely at the destruction of information.
    Pros and cons are similar to DatAshur.
  3. A cryptographic USB drive-flash card reader from Milandr with an encryption function allows you to encrypt information on microSD cards. The device is made on the company's own processor. Made like a regular flash drive.
    Advantages: GOST-89 encryption algorithm with a key length of 56 bits (it is not clear from the documentation how GOST-89 was converted to 256 bits), work with an unlimited number of microSD cards.
    Flaws: The device only works with microSD cards; it is unknown whether it is possible to switch to more strong encryption algorithms.
  4. Key_P1 Multiclet - a device for protecting information from JSC Multiclet, a processor developer. Let's look at the device in more detail (hereinafter we will denote the device as Key_P1).
Key_P1 is made with three connectors: USB – socket and plug, as well as a connector for SD cards.

Initial functions of the device (the software will be expanded in the future, see below for additional functionality):

  • protection against modified (spyware) flash drives.
  • encryption of information using the DES algorithm with a key length of 56 bits
    (after obtaining an AES and GOST-89 license with a key length of 256 bits).
  • the ability to restore information in case of loss of the Key_P1 device and storage device.
  • the ability to synchronize keys for sharing files between users.
  • display of device shutdown time Key_P1.

A more detailed description of the device’s functions will be provided later in this article. The encryption keys are stored in the flash memory of the processor of the device in question.
Key_P1 can work with an unlimited number of drives and on an unlimited number personal computers, there is no connection to a specific PC.

Block diagram of the entire system:

Description of structure elements:

  • the server generates firmware, updates Key_P1 Manager, firmware and Key_P1_for_Windows (or Key_P1_for_Linux) applications for the user’s storage device (flash drive).
  • (OS software) Key_P1 Manager - updates components, initializes Key_P1, generates a set of keys for Key_P1, etc.
  • Firmware Key_P1 is a program executed on the Key_P1 device.
  • application for the drive - Key_P1_for_Windows (Key_P1_for_Linux) (both applications are loaded onto the user’s flash drive and authorize the user and display the last time the device was turned off for Windows and Linux OS).

Let's take a closer look at the main functions of the device.

  1. Information is encrypted not with one key, but with several (maximum 1024). Encryption occurs by sector for each drive. Thus, one file can be encrypted with several dozen keys.
  2. Protection against modified drives occurs by monitoring service information transmitted using SCSI commands
  3. Data recovery:
    • Keys are generated by the user on a PC using the Klyuch_P1 program. The manager (in this case the user) can do backup copy your keys in case of recovery.
    • Keys are generated by the Key_P1 device. In this case, the user cannot make a backup copy of his keys.
    • The user can backup their encrypted information
  4. Key synchronization is the formation of identical keys for different users according to a given initial value and selected algorithm. The Key_P1 device provides the ability to store 50 keys for synchronization. Those. users can store the 8 byte label and the key itself. To synchronize keys and start sharing encrypted files, users need to:
    • convey to each other by verbal agreement, phone call, sms, Email or writing in the sand the initial value for key initialization, as well as the key generation algorithm;
    • generate a key and assign a label – no more than 8 characters (bytes);
    • copy the key to the device Key_P1;
    • exchange of encrypted files can be carried out from any PC, i.e. when downloading the software and installing it on any “foreign” PC with the Key_P1 device connected, after entering the PIN code, the user will see the keys and their corresponding labels and will be able to encrypt files with the required key for exchange with another user.
  5. The Key_P1 device displays, after running the program key_p1_for_windows.exe (for Windows) or key_p1_for_linux (for Linux), information about the time the device was last disconnected with an accuracy of two minutes. This function allows the user and/or the company’s security service to establish the fact and determine the time of unauthorized disconnection of Key_P1, which makes it difficult for an attacker to act and facilitates his search.

To start working with the device you need to:

  1. Install software, download firmware from server
  2. Initialize Key_P1 (install firmware, set PIN, PUK codes)
  3. Initialize the drive (splitting the drive into two partitions: open and closed, which is accessible only after entering the PIN code)
The PIN code entry window looks like this (thumbnail version):

In addition to the individual version, a corporate version will also be available:

Company employees download the Key_P1 Manager program from a corporate server or from removable media and install it on their OS. Then they download the keys generated by the company's security service or IT service. Next, by analogy with the individual version, Key_P1 and the drive are initialized. Unlike the user version, in the corporate version the head of several departments can choose for which department to encrypt files. The list of departments is compiled by authorized employees of the company.

Within a department, employees can exchange encrypted information by encoding files through Key_P1 Manager and Key_P1. The enterprise security service has the ability to create various divisions of rights by department (for example: the “Programmers” department will be able to encrypt files for the “Accounting” department). In addition, an enterprise can embed in the device an algorithm for generating one-time passwords for authentication on servers, computers, etc., in order to increase security and ensure the protection of commercial and other types of secrets.
As additional functionality of the device:

  • Mac OS support;
  • Key_P1 can contain a function for generating one-time passwords for organizing two-factor authentication on servers
    various services. Two-factor authentication provides additional protection for your account. To do this, when logging in, you are asked not only for your username and password, but also for unique “verification codes.” Even if an attacker finds out your password, he will not be able to gain access to your account.
  • storage of personal data with automatic substitution for authentication in social networks, payment systems, etc.
  • using the device for authorization on a PC.

The most interesting from this list is storing user logins and passwords from various resources. The only question is how to do it more conveniently. Carry out automatic substitution of the login and password pair or allow the user, after entering the PIN code, to view the login and password in clear text in the way that allows Google browser Chrome.

Now let's turn to consider the hardware level of the device.

The main functions of the device are encryption and protection against unauthorized operation of drives.

Let's look at ways to encrypt data with a device:

  • encrypt a file on the drive - in this case, the file will not be encrypted with one random key, but depending on the file size and the sector size of the drive (this is the smallest addressable memory cell of the drive), the file will be encrypted with several keys across sectors of the drive;
  • encrypt a file on a PC - in this case, the file will be encrypted with a key randomly selected on the device and the contents of the file will be returned by the device to the PC in encrypted form, in addition, this content will be “wrapped” in a special container containing the number of the key with which the file was encrypted;
  • encrypt a file for another user - in this case, the file using a pre-generated key with a corresponding label (for example, “colleagues1”) will be encrypted by the device without any container and the contents of the file will be returned to the PC.
A function will also be available to notify the user about a file size change if an existing file on the drive is replaced with a new one with the same name. The functionality of the device provides a “read-only” mode to protect against unauthorized copying of information to the drive when working on a PC infected with viruses.

To cut off spy devices, “Key_R1” filters service commands sent to drives, which provides protection against infection of the drive by a hardware virus, and the “Key_R1” device analyzes the descriptor table sent by the drive and, based on this information, blocks drives that try to present themselves as a combined device to the PC system (for example, a keyboard and a drive) or any other device other than a drive.

Let's consider the implementation of the device at the circuit level.

The device is implemented on the basis of the Russian multicellular processor P1. To interact with USB interface host, the stm32f205 processor is introduced into the circuit. The multicellular processor is clocked from the stm32f205 processor, the firmware is loaded via the spi interface. The P1 processor takes on all the basic functions of encrypting and hashing information. One of the interesting features of most encryption algorithms is their good parallelism. Thanks to this fact, it is rational to use a processor with hardware parallelization of operations.


As a result of upgrading the device, the following scheme is expected:

Interaction with the USB host can be provided by an FTDI chip.
The device has connectors that allow you to work with USB drives and microSD, SD cards.

Advantages:

  • encryption with a large set of keys at the hardware level across drive sectors
  • control of service commands between the PC and the drive
  • storing the login-password pair
  • work in read-only mode
  • support USB drives, SD, microSD cards
  • work with an unlimited number of drives
  • corporate version
  • possibility of data recovery

Disadvantages: not a specialized case, lack of tamper-evident protection (Although tamper-evident protection is not decisive for such habr users as BarsMonster :)

P.S. As an additional functionality, the idea of ​​​​creating an application for secure exchange, similar to skype, qip, but only directly, to specific users without a connecting server, was also considered, but for certain reasons it was decided not to touch on this area.
In addition, on March 25, a project on Kickstarter.com dedicated to this device was launched.

When Edward Snowden set about exposing intelligence programs around the world, he had a goal in mind: to prevent similar captures in the future.

On this moment there is no feeling that Snowden has achieved his goal. It was only in early December that the FBI received broad powers to spy on computers located overseas, including in Russia. Many politicians in the United States are unanimous in their opinion: during the Trump presidency, such organizations will receive even more rights.

The UK has already taken similar measures: here, from November 29, the secret services received legal grounds for large-scale collection of information on the Full Take principle. For Snowden, this means "the most powerful surveillance in the history of Western democracy." And he is not the only one who holds such views. The EU Personal Data Protection Commissioner also sees the current situation as “more than just dangerous.”

"For every attack there is a method
protection"

Edward Snowden, whistleblower
According to Snowden, it is wiser to disclose
as little personal information as possible

Proponents of surveillance use the principle “I have nothing to hide” as an argument. The only catch is that if the secret services can dig into your personal data and contacts without any restrictions, there is always a risk of abuse and errors.

For example, Germany has one of the best data protection laws in the world, but even there data is at risk due to a new law regarding the activities of the Federal Intelligence Service (BND).

If you store your information in the cloud, in most cases it falls under the jurisdiction of other countries. However, even in such a situation it can be reliably protected. The method has already been proposed by Snowden - this is encryption. Why only a few users are still doing this is easily explained - comfort decreases.

But with the help of our tips, you don't have to choose between safety and convenience. We'll show you how to thoroughly encrypt your data on local computer, smartphone and in the cloud. We pay special attention to ease of setup and optimal “adhesion” with the corresponding operating system.

Thanks to this, you will not only hide confidential information from the eyes of the secret services, but also prevent hacker attacks, because even if intelligence agencies cannot decipher your data, then hackers will be even more so.

Protect your data on your PC

Let's start with Windows. Information on home computer It's best protected by encrypting the entire hard drive. However, on older machines with poor performance, it makes sense to encode each folder separately. Below we describe each of the methods.

We use hardware encryption

Encrypt modern hard disks easier than you might think since they offer their own coding methodology. To do this, they use Opal SSC (Opal Security Subsystem Class). This standard allows you to encrypt the disk directly on the media controller. This way the operating system remains unaffected.

Cryptographic algorithms for encrypting files
> AES (Advanced Encryption Standard)
Successor to DES. A key with a length of 192 or more characters, for example, AES-192, is considered reliable
> DES (Data Encryption Standard)
A joint development of IBM and the US NSA. Should only be used latest versions, such as 3DES and Tripple-DES.
>Twofish
It is freely available as a public domain key. Among experts it is considered reliable and not known to have loopholes.

To see if your drive supports Opal technology, check technical description product on the manufacturer's website. There you will also find tools to activate this function. In the case of Samsung, for example, this is the Magician program. After activation HDD Before starting, the OS will ask you to enter the specified password.

Two points should be paid special attention: do not use in parallel additional encryption- for example, through the BitLocker tool in Windows. This often causes problems, with many users even reporting data loss.

In addition, you should disable encryption before removing the hard drive, since the decoding software will only run if the hard drive is acting as bootable media with the operating system. Moreover, if you connect such a drive to another computer via USB, the drive will seem completely empty.

Disk encryption with third party software

Windows 10 also offers its own encryption software hard drives- BitLocker. However, it is only available for the “Professional” and “Corporate” versions. Owners of the “Home” version can use the free version as an option VeraCrypt program(veracrypt.codeplex.com).

After launching VeraCrypt, select the option “Encrypt the system partition or entire system drive”. In the window that appears, click on “Normal”, and then on “Encrypt the whole drive”. Thanks to this, all data on the system and all other partitions will subsequently be encrypted.


A pop-up window will ask if VeraCrypt should also encode hidden sections. As a rule, you should answer “Yes”. However, keep in mind that in this case the utility will also encrypt the recovery partition, if one exists. This section is used by some businesses to initiate the boot process.

In the last dialog box, create a rescue disk - VeraCrypt will suggest this automatically.

Encrypt individual folders

On slow and old computers, it is still worth abandoning full encryption. We strongly recommend creating a so-called container for such cases.

At the same time it appears virtual disk, on which confidential information is stored. It is automatically encrypted and stored in a file on your hard drive.

And in this situation, you can use the VeraCrypt program. In the encryption settings window, click on the “Create an encrypted file container” option and follow the Wizard’s instructions.

Encrypted USB drive

Every year, Russian residents purchase USB drives worth hundreds of thousands of rubles. These miniature media are very convenient to use, but are incredibly easy to lose.

If you store confidential information on them, the person who discovers your flash drive can read it without any problems. We can correct the situation AES encoded drives.


> Inexpensive to create Encrypting a regular flash drive with VeraCrypt will help with such a drive. Problem: every computer where you will connect it must have this software.
> The most reliable- those that have encryption integrated by default, including DataTraveler2000 from Kingston. However, such devices are more expensive than regular ones by as much as 6,400 rubles. Data access is opened only after entering a password on the keyboard built into the device.
> Maximum comfort offers . This drive has a built-in fingerprint scanner. A flash drive encrypted with a reliable AES key is recognized by the system only after successful authentication. Of course, such super technology cannot be cheap. For 100% data protection, you will have to pay approximately 18,000 rubles.

Photo: manufacturing companies, vchalup, tashatuvango, Scanrail, Oleksandr Delyk, 2nix/Fotolia.com

Main features of the program Folder Lock the following:
  • AES encryption, key length 256 bits.
  • Hiding files and folders.
  • Encrypting files (by creating virtual disks- safes) “on the fly”.
  • Online backup.
  • Creation of protected USB/CD/DVD disks.
  • Encryption of email attachments.
  • Creation of encrypted “wallets” that store information about credit cards, accounts, etc.

It would seem that the program has quite enough capabilities, especially for personal use. Now let's look at the program in action. When you first launch the program, you are asked to set a master password, which is used to authenticate the user in the program (Fig. 1). Imagine this situation: you hid files, and someone else launched a program, saw which files were hidden and gained access to them. Agree, not very good. But if the program asks for a password, then this “someone” will not succeed - at least until he guesses or finds out your password.


Rice. 1. Setting a master password at first start

First of all, let's look at how the program hides files. Go to section Lock Files, then either drag files (Fig. 2) and folders into the main area of ​​the program or use the button Add. As shown in Fig. 3, the program allows you to hide files, folders and drives.


Rice. 2. Drag a file, select it and click the button Lock


Rice. 3. Button Add

Let's see what happens when we press the button Lock. I tried to hide the C:\Users\Denis\Desktop\cs.zip file. The file has disappeared from Explorer, Total Commander and the rest file managers, even if display is enabled hidden files. The file hiding button is called Lock, and the section Lock Files. However, these UI elements would need to be named Hide and Hide Files, respectively. Because in fact, the program does not block access to the file, but simply “hides” it. Look at fig. 4. Knowing the exact name of the file, I copied it to the cs2.zip file. The file copied smoothly, there were no access errors, the file was not encrypted - it was unpacked as usual.


Rice. 4. Copy a hidden file

The hiding function itself is stupid and useless. However, if you use it in conjunction with the file encryption function - to hide the safes created by the program - then the effectiveness of its use will increase.
In chapter Encrypt Files you can create safes (Lockers). A safe is an encrypted container that, once mounted, can be used as regular disk- encryption is not simple, but transparent. The same technique is used by many other encryption programs, including TrueCrypt, CyberSafe Top Secret, and others.


Rice. 5. Encrypt Files section

Click the button Create Locker, in the window that appears, enter a name and select the location of the safe (Fig. 6). Next, you need to enter a password to access the safe (Fig. 7). The next step is to select the file system and safe size (Fig. 8). The safe size is dynamic, but you can set its maximum limit. This allows you to save disk space if you do not use the safe to capacity. If desired, you can create a fixed-size safe, as will be shown in the Performance section of this article.


Rice. 6. Name and location of the safe


Rice. 7. Password to access the safe


Rice. 8. File system and safe size

After this, you will see a UAC window (if it is enabled), in which you will need to click Yes, then a window with information about the created safe will be displayed. In it you need to click the Finish button, after which the Explorer window will open, displaying the mounted container (media), see Fig. 9.


Rice. 9. Virtual disk created by the program

Return to section Encrypt Files and select the created safe (Fig. 10). Button Open Locker allows you to open a closed safe, Close Locker- close open button Edit Options calls up a menu containing commands for deleting/copying/renaming/changing the safe password. Button Backup Online allows you to back up your safe, and not just anywhere, but to the cloud (Fig. 11). But first you have to create an account Secure Backup Account, after which you'll get up to 2TB of storage space and your safes will automatically sync with online storage, which is especially useful if you need to work with the same safe on different computers.


Rice. 10. Operations on the safe


Rice. 11. Create a Secure Backup Account

Nothing happens for nothing. Pricing for storing your safes can be found at secure.newsoftwares.net/signup?id=en. For 2 TB you will have to pay $400 per month. 500 GB will cost $100 per month. To be honest, it's very expensive. For $50-60 you can rent an entire VPS with 500 GB “on board”, which you can use as storage for your safes and even create your own website on it.
Please note: the program can create encrypted partitions, but unlike PGP Desktop, it cannot encrypt entire disks. In chapter Protect USB/CD you can protect your USB/CD/DVD drives, as well as email attachments (Fig. 12). However, this protection is carried out not by encrypting the media itself, but by recording a self-decrypting safe on the corresponding media. In other words, a stripped-down portable version of the program will be recorded on the selected media, allowing you to “open” the safe. This program also does not have any support for email clients. You can encrypt the attachment and attach it (already encrypted) to the email. But the attachment is encrypted normal password, not PKI. I think there is no point in talking about reliability.


Rice. 12. Protect USB/CD section

Chapter Make Wallets allows you to create wallets containing information about your credit cards, bank accounts, etc. (Fig. 13). All information, of course, is stored in encrypted form. With all responsibility I can say that this section is useless, since there is no function for exporting information from the wallet. Imagine that you have many bank accounts and you have entered information about each of them into the program - account number, bank name, account owner, SWIFT code, etc. You then need to provide your account information to a third party to transfer the money to you. You will have to manually copy each field, paste it into the document, or email. Having an export function would make this task much easier. In my opinion, it is much easier to store all this information in one general document, which needs to be placed on the virtual disk created by the program - safe.


Rice. 13. Wallets

Benefits of Folder Lock:

  • Attractive and clear interface that will appeal to novice users who speak English.
  • Transparent on-the-fly encryption, creating virtual encrypted disks that can be worked with like regular disks.
  • Possibility of online backup and synchronization of encrypted containers (safes).
  • Ability to create self-decrypting containers on USB/CD/DVD drives.

Disadvantages of the program:

  • There is no support for the Russian language, which will complicate the work with the program for users who are not familiar with the English language.
  • Questionable functions Lock Files (which simply hides, rather than “locks” files) and Make Wallets (ineffective without exporting information). To be honest, I thought that the Lock Files function would provide transparent encryption of a folder/file on a disk, as does the CyberSafe Top Secret program or file system EFS.
  • Lack of ability to sign files or verify digital signatures.
  • When opening a safe, it does not allow you to select a drive letter that will be assigned to the virtual disk that corresponds to the safe. In the program settings, you can only select the order in which the program will assign the drive letter - ascending (from A to Z) or descending (from Z to A).
  • No integration with mail clients, there is only the option to encrypt the attachment.
  • High cost of cloud Reserve copy.

PGP Desktop

Symantec's PGP Desktop is a suite of encryption software that provides flexible, multi-level encryption. The program differs from CyberSafe TopSecret and Folder Lock in its close integration into the system shell. The program is built into the shell (Explorer), and its functions are accessed through the Explorer context menu (Fig. 14). As you can see, the context menu has functions for encryption, file signing, etc. Quite interesting is the function of creating a self-decrypting archive - on the principle of a self-extracting archive, only instead of unpacking the archive is also decrypted. However, the Folder Lock and CyberSafe programs also have a similar function.


Rice. 14. Context menu PGP Desktop

You can also access the program's functions through the system tray (Fig. 15). Team Open PGP Desktop opens the main program window (Fig. 16).


Rice. 15. Program in the system tray


Rice. 16. PGP Desktop window

Program sections:

  • PGP Keys- key management (both your own and imported from keyserver.pgp.com).
  • PGP Messaging- management of messaging services. When installed, the program automatically detects your Accounts and automatically encrypts AOL Instant Messenger communications.
  • PGP Zip- management of encrypted archives. The program supports transparent and opaque encryption. This section implements opaque encryption. You can create an encrypted Zip archive (PGP Zip) or a self-decrypting archive (Figure 17).
  • PGP Disk is an implementation of the transparent encryption function. The program can either encrypt an entire hard disk partition (or even the entire disk) or create a new virtual disk (container). There is also a function called Shred Free Space, which allows you to wipe free space on the disk.
  • PGP Viewer- here you can decrypt PGP messages and attachments.
  • PGP NetShare- a means of “sharing” folders, while the “shares” are encrypted using PGP, and you have the ability to add/remove users (users are identified based on certificates) who have access to the “share”.


Rice. 17. Self-decrypting archive

Regarding virtual disks, I especially liked the ability to create a dynamically sized virtual disk (Figure 18), as well as select an algorithm other than AES. The program allows you to select the drive letter to which the virtual disk will be mounted, and also allows you to automatically mount the disk when the system starts and unmount it when idle (by default, after 15 minutes of inactivity).


Rice. 18. Create a virtual disk

The program tries to encrypt everything and everyone. It monitors POP/SMTP connections and offers to secure them (Figure 19). The same applies to clients for exchange instant messages(Fig. 20). It is also possible to protect IMAP connections, but it must be enabled separately in the program settings.


Rice. 19. SSL/TLS connection detected


Rice. 20. PGP IM in action

It's a pity that PGP Desktop does not support popular modern programs like Skype and Viber. Who uses AOL IM now? I think there are few of these.
Also, when using PGP Desktop, it is difficult to configure mail encryption, which only works in interception mode. What if the encrypted mail was already received, and PGP Desktop was launched after receiving the encrypted message. How to decrypt it? You can, of course, but you will have to do it manually. In addition, already decrypted messages are no longer protected in the client. And if you configure the client for certificates, as is done in the CyberSafe Top Secret program, then the letters will always be encrypted.
The interception mode also does not work very well, since the message about mail protection appears every time on every new mail server, and gmail has a lot of them. You will get tired of the mail protection window very quickly.
The program is also not very stable (Fig. 21).


Rice. 21. PGP Desktop froze...

Also, after installing it, the system worked slower (subjectively)…

Benefits of PGP Desktop:

  • A complete program used for file encryption, file signing and verification electronic signature, transparent encryption (virtual disks and whole partition encryption), email encryption.
  • Keyserver support keyserver.pgp.com.
  • Ability to encrypt the system hard drive.
  • PGP NetShare feature.
  • Possibility of overwriting free space.
  • Tight integration with Explorer.

Disadvantages of the program:

  • Lack of support for the Russian language, which will complicate the work with the program for users who do not know English.
  • Unstable operation of the program.
  • Poor program performance.
  • There is support for AOL IM, but no support for Skype and Viber.
  • Already decrypted messages remain unprotected on the client.
  • Mail protection only works in interception mode, which you will quickly get tired of, since the mail protection window will appear every time for each new server.

CyberSafe Top Secret

As in the previous review, detailed description There will be no CyberSafe Top Secret program, since a lot has already been written about it on our blog (Fig. 22).


Rice. 22. CyberSafe Top Secret program

However, we will still pay attention to some points - the most important ones. The program contains key and certificate management tools, and availability in CyberSafe own server key allows the user to publish his public key on it, and also receive public keys other company employees (Fig. 23).


Rice. 23. Key management

The program can be used for encryption separate files, which was shown in the article “Electronic signature: practical use of the CyberSafe Enterprise software product in an enterprise. Part one" . As for encryption algorithms, the CyberSafe Top Secret program supports GOST algorithms and the certified crypto provider CryptoPro, which allows it to be used in government agencies and banks.
The program can also be used to transparently encrypt a folder (Fig. 24), which allows it to be used as a replacement for EFS. And, given that the CyberSafe program turned out to be more reliable and faster (in some scenarios) than EFS, it is not only possible, but also necessary to use it.


Rice. 24. Transparent encryption of the folder C:\CS-Crypted

The functionality of the CyberSafe Top Secret program is reminiscent of the functionality of the PGP Desktop program - if you noticed, the program can also be used to encrypt email messages, as well as to electronically sign files and verify this signature (section Email digital signature, see fig. 25).


Rice. 25. Section Email digital signature

Like the PGP Desktop program, the CyberSafe Top Secret program can create encrypted virtual disks and encrypt entire hard drive partitions. It should be noted that the CyberSafe Top Secret program can only create virtual disks of a fixed size, unlike the Folder Lock and PGP Desktop programs. However, this drawback is counteracted by the ability to transparently encrypt the folder, and the folder size is limited only by the amount of free space on your hard drive.
Unlike the PGP Desktop program, the CyberSafe Top Secret program cannot encrypt the system hard drive; it is limited only to encrypting external and internal non-system drives.
But CyberSafe Top Secret has the possibility of cloud backup, and, unlike Folder Lock, this opportunity is absolutely free, or rather, the cloud backup function can be configured for any service - both paid and free. You can read more about this feature in the article “Encrypting backups on cloud services”.
It is also worth noting two important features of the program: two-factor authentication and a system of trusted applications. In the program settings, you can either set password authentication or two-factor authentication (Fig. 26).


Rice. 26. Program settings

On the tab Allowed. applications You can define trusted applications that are allowed to work with encrypted files. By default, all applications are trusted. But for greater security, you can set applications that are allowed to work with encrypted files (Fig. 27).


Rice. 27. Trusted applications

Benefits of the CyberSafe Top Secret program:

  • Support for GOST encryption algorithms and the certified crypto provider CryptoPro, which allows the program to be used not only by individuals and commercial organizations, but also by government agencies.
  • Supports transparent folder encryption, which allows you to use the program as a replacement for EFS. Considering that the program provides a better level of performance and security, such a replacement is more than justified.
  • Ability to sign files electronically digital signature and the ability to verify the file signature.
  • Built-in key server that allows you to publish keys and access other keys that have been published by other company employees.
  • The ability to create a virtual encrypted disk and the ability to encrypt the entire partition.
  • Possibility of creating self-decrypting archives.
  • The possibility of free cloud backup, which works with any service - both paid and free.
  • Two-factor user authentication.
  • A trusted application system that allows only certain applications to access encrypted files.
  • The CyberSafe application supports the AES-NI instruction set, which has a positive effect on program performance (this fact will be demonstrated later).
  • The CyberSafe program driver allows you to work over the network, which makes it possible to organize corporate encryption.
  • Russian-language program interface. For English-speaking users, it is possible to switch to English.

Now about the shortcomings of the program. The program does not have any particular shortcomings, but since the task was set to honestly compare the programs, shortcomings will still have to be found. To be really picky, sometimes (very, very rarely) non-localized messages like “Password is weak” “slip through” into the program. Also, the program does not yet know how to encrypt the system disk, but such encryption is not always necessary and not for everyone. But all this is minor compared to the freezing of PGP Desktop and its cost (but you don’t know about that yet).

Performance

When working with PGP Desktop, I got the impression (immediately after installing the program) that the computer began to work slower. If it weren’t for this “sixth sense,” this section would not have been in this article. It was decided to measure performance using CrystalDiskMark. All tests are carried out on a real machine - no virtual machines. The laptop configuration is as follows - Intel 1000M (1.8 GHz)/4 GB RAM/WD WD5000LPVT (500 GB, SATA-300, 5400 RPM, 8 MB buffer/Windows 7 64-bit). The car is not very powerful, but it is what it is.
The test will be performed as follows. We launch one of the programs and create a virtual container. The container parameters are as follows:
  • The virtual disk size is 2048 MB.
  • File system - NTFS
  • Drive letter Z:
After this, the program closes (of course, the virtual disk is unmounted) - so that nothing interferes with the test of the next program. The next program is launched, a similar container is created in it, and the test is performed again. To make it easier for you to read the test results, we need to talk about what the CrystalDiskMark results mean:
  1. Seq - sequential write/sequential read test (block size = 1024KB);
  2. 512K - random write/random read test (block size = 512KB);
  3. 4K is the same as 512K, but the block size is 4 KB;
  4. 4K QD32 - random write/read test (block size = 4KB, Queue Depth = 32) for NCQ&AHCI.
During the test, all programs except CrystalDiskMark were closed. I chose a test size of 1000 MB and set it to 2 passes so as not to force my hard drive once again (as a result this experiment His temperature already rose from 37 to 40 degrees).

Let's start with a regular hard drive so that we have something to compare with. The performance of drive C: (which is the only partition on my computer) will be considered reference. So, I got the following results (Fig. 28).


Rice. 28. Hard drive performance

Now let's start testing the first program. Let it be Folder Lock. In Fig. Figure 29 shows the parameters of the created container. Please note: I am using a fixed size. The results of the program are shown in Fig. 30. As you can see, there is a significant reduction in performance compared to the benchmark. But this is a normal phenomenon - after all, the data is encrypted and decrypted on the fly. Productivity should be lower, the question is how much.


Rice. 29. Folder Lock container parameters


Rice. 30. Folder Lock program results

The next program is PGP Desktop. In Fig. 31 - parameters of the created container, and in Fig. 32 - results. My feelings were confirmed - the program really works slower, which was confirmed by the test. But when this program was running, not only the virtual disk, but even the entire system “slowed down,” which was not observed when working with other programs.


Rice. 31. PGP Desktop container parameters


Rice. 32. Results of the PGP Desktop program

All that remains is to test the CyberSafe Top Secret program. As usual, first - the container parameters (Fig. 33), and then the program results (Fig. 34).


Rice. 33. CyberSafe Top Secret container parameters


Rice. 34. Results of the CyberSafe Top Secret program

I think comments will be unnecessary. According to productivity, the places were distributed as follows:

  1. CyberSafe Top Secret
  2. Folder Lock
  3. PGP Desktop

Price and conclusions

Since we tested proprietary software, there is another important factor to consider - price. The Folder Lock application will cost $39.95 for one installation and $259.70 for 10 installations. On the one hand, the price is not very high, but the functionality of the program, frankly speaking, is small. As noted, the file and wallet hiding features are of little use. The Secure Backup feature requires an additional fee, therefore, paying almost $40 (if you put yourself in the shoes of an ordinary user, not a company) just for the ability to encrypt files and create self-decrypting safes is expensive.
The PGP Desktop program will cost $97. And note - this is only the starting price. The full version with a set of all modules will cost approximately $180-250 and this is only a 12-month license. In other words, every year you will have to pay $250 to use the program. In my opinion, this is overkill.
The CyberSafe Top Secret program is the golden mean, both in functionality and price. For an ordinary user, the program will cost only $50 (special anti-crisis price for Russia, for other countries full version will cost $90). Please note, this is how much the most complete version of the Ultimate program costs.
Table 1 contains a comparison table of the features of all three products, which can help you choose your product.

Table 1. Programs and functions

Function Folder Lock PGP Desktop CyberSafe Top Secret
Virtual encrypted disks Yes Yes Yes
Encrypt the entire partition No Yes Yes
Encrypting the system disk No Yes No
Convenient integration with email clients No No Yes
Encryption of email messages Yes (limited) Yes Yes
File encryption No Yes Yes
Digital signature, signing No Yes Yes
EDS, verification No Yes Yes
Transparent folder encryption No No Yes
Self-decrypting archives Yes Yes Yes
Cloud backup Yes (paid) No Yes (free)
Trusted application system No No Yes
Support from a certified crypto provider No No Yes
Token support No No (no longer supported) Yes (when installing CryptoPro)
Own key server No Yes Yes
Two-factor authentication No No Yes
Hiding individual files Yes No No
Concealment hard sections disk Yes No Yes
Wallets for storing payment information Yes No No
GOST encryption support No No Yes
Russian interface No No Yes
Sequential read/write (DiskMark), MB/s 47/42 35/27 62/58
Price 40$ 180-250$ 50$

Taking into account all the factors outlined in this article (functionality, performance and price), the winner of this comparison is the CyberSafe Top Secret program. If you have any questions, we will be happy to answer them in the comments.

Tags: Add tags