What is the difference between SEE and PGP?

Symantec Enterprise Division offers two encryption solutions\products to help you secure your sensitive data in many different scenarios. 

Each of these two solutions have some of the same functionality and some overlap.

However; the two operate and behave in different ways so it's useful to know how the two encryption solutions differ.

This article will go over all of this to help you choose the best solution for your encryption needs. 

See the Encryption Portfolio Video Here.

Read our Symantec Encryption Blog: Encryption - The Last Line of Defense

For further guidance, reach out to Symantec Encryption Support.

Solution 1 - PGP Encryption Solutions

PGP Encryption Server (also known as Symantec Encryption Management Server)
This is the management server piece that will manage the PGP Encryption Desktop clients on the PGP side. 
It can also perform automatic email encryption when deployed in "Gateway Mode", which has many additional features for secure email delivery.

Features

• Client/Policy Management
• Helpdesk Recovery Portal for Drive Encryption
• Gateway Email Encryption
• Web Email Protection Secure Email Delivery
• PDF Email Secure Email Delivery

PGP Encryption Desktop (also known as Symantec Encryption Desktop)
This is the client component that is installed on each endpoint. 

Features

• Drive Encryption (Recovery keys securely stored on the PGP Encryption Server)
• File Share Encryption (Secure NTFS Folders\Shares)
• Email Encryption (with Outlook / Exchange / Office 365 or POP/IMAP)
• Virtual Disk Encryption
• File Encryption (PGP Zip)
• Secure File Shredding
  
  

The PGP Encryption Server will manage this client, which provides you with limitless configuration possibilities.
As a result, using the PGP Encryption Desktop client in a managed setting is typically the preferred option for enterprises.

Desktop Email Encryption vs Gateway Email Encryption

The main advantage of Desktop Email Encryption is end-to-end encryption and encryption at rest:

• Outbound messages are encrypted at the time of sending and remain in that state so they are stored in an encrypted state.
• Inbound encrypted messages are decrypted at the time the user opens them but remain encrypted so they are also stored in an encrypted state.
• Outbound messages can be automatically encrypted to an ADK (Additional Decryption Key) that is held in a secure location by the administrator and can be used for decryption in an emergency.

The main advantage of Gateway Email Encryption is convenience:

• Users do not require a desktop client for email encryption.
• Messages are stored in in Office 365 or Exchange and Outlook in an unencrypted state which is more convenient.
• TLS connections are used by the PGP server to proxy email messages.

With the PGP product, the client is managed on a "per user" basis.  Users receive PGP Keys and is their identity within the PGP realm. 

When the client is installed, a user is enrolled (either by the end user themselves, or invisibly depending on which option is chosen) and once enrollment is completed, the drive encryption process will start. 

The user exists on the PGP Encryption Server and the machine is associated with the user. 

When a Drive Encryption recovery key is needed, the Encryption Administrator will locate the user, and display the recovery key for the machine in question. 

The policy for the PGP clients is applicable to the user and not the machine.

All PGP Encryption products interop with any other encryption solution that use the OpenPGP standard. 

With Symantec Encryption, we invented the standard, so as long as other solutions that use OpenPGP do so using standard methods, PGP can interop with many other encryption solutions just fine. 

PGP Encryption Desktop can run as a "standalone" product and all the features available can be used as a standalone client and does not require configuring a server to use this product.  Although it is possible to manage the PGP client (PGP Encryption Desktop) by the server, it is not necessary in order to obtain the installer and get started with encryption.  In this way, if you need to encrypt only a few machines and do not need to manage any of the components with a server, PGP is likely the best choice.  The standalone MSI file can be downloaded directly from the Broadcom Support Portal.

For the Drive Encryption component, if you install as a standalone client, the end user is in full control of their recovery key and will not be managed by the PGP Encryption server.  

Important note: PGP Encryption Desktop 11.0.0 for Windows Release Notes

Discontinued support for the Standalone mode of PGP Encryption Desktop: Starting with the PGP 11.0.0 release, installation of PGP Encryption Desktop standalone mode is discontinued. If you have been using PGP Encryption Desktop in standalone mode, you must install a bound and stamped version of PGP Encryption desktop over your existing, standalone installation. You must also complete the enrollment process so that it can be managed by the PGP Encryption server. On the PGP Encryption server administration interface ,when administrators click the download client button with the default setting, a managed client installation get downloaded that is pre-configured to enroll and communicate with the server once the installer is run.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution 2: Symantec Endpoint Encryption (SEE)
SEE Management Server (SEEMS) - Manages the SEE Clients and policy for the deployed endpoints
SEE Client (Managed by SEEMS)

Features

• Intuitive and Sleek Web UI for Administrative Management.
• Drive Encryption
• Removable Media Encryption (USB, Blu-ray, etc.)
• Helpdesk Recovery Portal for Drive Encryption (Connectionless Recovery)

With Symantec Endpoint Encryption, the client is managed on a "per machine" basis.  This means that when the client is installed, the machine itself can automatically start encrypting without any user intervention--in fact, once the SEE Client is installed, upon reboot, even if the user does not login to the system, encryption will start.  Once the user logs in, the user is registered to the drive encryption piece and associated to the machine.  When a Drive Encryption recovery key is needed, the Encryption Administrator will search for the machine (rather than the user), and display the recovery key for the machine.  The SEE Client will always have a recovery key even if the SEE Client never connects to the server.  All policy applied to the machine itself, not the user.

Symantec Endpoint Encryption (SEE)
SEE Management Server (SEEMS)
SEE Client (Managed by SEEMS)

Symantec Endpoint Encryption requires the SEE Management Server as the SEE Client must be generated by the server itself.  The reason for this is SEE embeds encryption keys into the client and is a completely unique installer for each deployment.  Due to this unique client creation, SEE enjoys "Connectionless Recovery".  Connectionless Recovery allows a system to be encrypted and even if the client never contacts the server, a recovery key can be generated for the clients. This makes the SEE client a very attractive option when it comes to Drive Encryption, something few encryption solutions offer.

NOTE: As of 11.4.0, Standalone Endpoint Encryption clients are not supported.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Both of the above encryption solutions that Symantec Enterprise Division offers will allow client management, but the management functionality is different here. 

The table below displays the major feature differences at a glance between the two encryption solutions, and we will explain in more detail the different features for each solution:

Server Management

Both products support a server-client architecture. This enables server administrators to update policies which the clients will receive when checking in with the server.

PGP fully supports standalone installations while SEE does not.

Disk Encryption

• Both products support the encryption of boot disks as well as additional internal or external disks.
  • This encryption can be started automatically or manually depending on how policies are configured.
    SEE will start encryption automatically without the need to enroll a user and has connectionless recovery.
    PGP will start encryption after the user enrolls to the Management server.
    
    
• When a boot disk is encrypted, it will brings the user to a pre-boot authentication screen when the computer is turned on after a shutdown or restart.
  • The images and text on this screen can be modified on both products
  • Both products have an "autologon" or "bypass" feature to allow seamless Windows major updates *without* the need to run special scripts.
    
    
• After successfully authenticating, the operating system (OS) starts and the user is brought to the log in screen for the OS
  • Both products include Single Sign-On (SSO) functionality, which uses the credentials provided at the pre-boot screen to log the user into the OS

PGP Encryption Desktop: Whole Disk Encryption

• Supports Additional Decryption Keys (ADKs) to be used to decrypt drives. This enables administrators to decrypt drives in the event users lose their password and whole disk recovery tokens
• Enrolls and manages individual users
• PGP Encryption Desktop uses "user-based PGP Encryption Desktop" policy.
• Recovery Keys are sent to the server upon user enrollment.
• Client Administrator Password is available per policy.

Symantec Endpoint Encryption: Disk Encryption

• Encryption begins automatically without user interaction by default (Even without the need to login to the system).
• "Connectionless Recovery" - No server connectivity needed in order to remotely recovery in case of a forgotten password
  Recovery keys are immediately available even w/out ever contacting the management server.
• Includes BitLocker Recovery support
• Includes FileVault Recovery support
• Windows 10 can be updated between major releases (such as 1709 and 1803) without the need to decrypt the drive or use special scripts.
• SEE Client Administrators with granular permission control
• SEE users "machine-based PGP Encryption Desktop" policy.

External Device Encryption

PGP Encryption Desktop: Disk Encryption

• Supports Additional Decryption Keys (ADKs) to be used to decrypt drives. This enables administrators to decrypt drives in the event users lose their password and whole disk recovery tokens
• Encrypts entire drives sector-by-sector rather than files specifically
• Supports boot drives, additional hard drives, external drives, and USB drives

Symantec Endpoint Encryption: Removable Media Encryption (RME)

• Controls access policy on removable media (no access, read-only access, and read and write access)
• Supports automatic encryption
• SEE RME encrypts files rather than entire drives
• Allows for exemption of specific file types of devices
• Files can be encrypted with a recovery certificate to enable decryption in the even the user is unable to decrypt the drive
• A Removable Media Access Utility for Windows or MacOS can be included on the removable media
  • This allows users not using SEE to access to encrypted files
• Supports USB drives as well as Blu-ray, CD, DVD discs

Policy Management

• Both clients can receive the initial policy from the client install.
  *PGP Encryption Desktop typically receives policy during enrollment, although "offline" policy can be manually configured. 
  *SEE will always use a local policy w/out having to contact the server.  PGP can be configured to have offline policy.
  
  
• Both clients can receive policy updates by communicating with their respective server
• The policies are managed on the PGP Encryption Server for the PGP Encryption Desktop client.
• Both servers can connect with Active Directory (AD) to set policies based PGP Encryption Desktop on AD groups

Encryption Desktop: Active Directory and Native Policy

• Standalone PGP Encryption Desktop installation allow policies to be set locally
• SEE can be configured to use a "standalone" policy.  Contact support for more information on this.

Symantec Endpoint Encryption: Active Directory and Native Policy

• SEEMS has native policy management which is an alternative to Active Directory management.
• SEE Native policy management allows computers to have different policies applied by adding them to groups without using AD.
• SEE Native policy is simple to use while allowing highly granular control.

Server-Client Communication

Encryption Desktop: Built-in Website

• The communication between server and client occurs between the PGP Encryption Server and the PGP Encryption Desktop client directly.
• This website is configured during the installation of the PGP Encryption Server.

Symantec Endpoint Encryption: IIS Web Server

• A prerequisite to the installation of the Endpoint Encryption Suite is configuring an Internet Information Services (IIS) website.
• All communication between the server and client takes place on this website via secure TLS methods.

Database Configuration

PGP Encryption Desktop: Built-in Database

• The PGP Encryption Server has a built-in database which manages all necessary information

Symantec Endpoint Encryption: SQL Server Database

• A prerequisite to the installation of the Symantec Endpoint Encryption Suite is having a MS SQL Database infrastructure.
  Note: Could be a standalone SQL environment if needed.  

Help Desk Recovery

• In the event that a SEE user forgets their login credentials, they are able to use Help Desk Recovery at the preboot screen to log into their computer
• SEE makes recovery keys available immediately w/out having to contact the management server via "Connectionless Recovery". 
• PGP Desktop makes recovery keys available on the PGP Encryption Server.

FileVault Management

• Both SEE and PGP Encryption Desktop Allow for File Vault Management

Virtual Disks

• PGP Encryption Desktop can create encrypted containers to store files/folders inside.
• SEE RME is able to encrypt individual files and folders if needed.

Key Management

• PGP Encryption Desktop supports private and public key management for use in email encryption for PGP or S/MIME encryption.
• These keys can be stored on the server, client, or on dedicated keyservers
• SEE does not offer Key management capabilities.

Email Encryption

• PGP Encryption Desktop supports email encryption in standalone or server-managed mode
• An Outlook plug-in makes encrypting and signing emails simple
• Encrypted emails can be stored on the server for users without PGP Encryption Desktop to access, while maintaining security
• SEE does not offer Email Encryption capabilities.

File and Folder Encryption

• PGP Encryption Desktop is able to encrypt specific files or folders
• NTFS\CIFS\SMB shares are all supported and can be encrypted with File Share Encryption.
  These files/folders can be encrypted and decrypted by user keys or passphrases.
  HTTPS forms will not work with File Share Encryption. 
• PGP Encryption Desktop offers Secure Shredding of files/folders.
• PGP Encryption Desktop can create a "Self-Decrypting Archive" which allows users without PGP Encryption Desktop to decrypt the files
• SEE RME can be used to create Self Decrypting Archives.

File Share Encryption

• File Share Encryption can be used to encrypt NTFS/CIFS shares.
• SEE does not offer File Share Encryption for NTFS/CIFS shares.

PGP Command Line

• PGP Command Line can be used to be able automate the encryption process.  Files and Folders are able to be automated via scripting to encrypt large quantities of file content.
• PGP Command Line can be used with Symantec Encryption Management Server so that all keys are stored on the server securely and no keys are stored on the local machine.

Keywords:

Difference between SEE and PGP
Difference between PGP and SEE
Difference between endpoint encryption and PGP

201122 - How Symantec Encryption Products stand out above the competition