What is the difference between SEE and PGP?
Symantec Enterprise Division offers two encryption solutions\products to help you secure your sensitive data in many different scenarios. Each of these two solutions have some of the same functionality and some overlap, however, the two operate and behave in significant ways so it's useful to know how the two encryption solutions differ, which this article will go over to help you choose the best solution for your encryption needs.
The two encryption solutions Symantec Enterprise Division offers are the PGP Encryption Solutions (SED\SEMS), and the Symantec Endpoint Encryption product line (SEE):
Solution 1: PGP Encryption Solutions
Symantec Encryption Management Server (SEMS - AKA PGP Universal Server) - This is the management server piece that will manage the encryption desktop clients on the PGP side. It can also perform automatic email encryption when deployed in "Gateway Mode", which has many additional features for secure email delivery.
Features: Helpdesk Recovery Portal for Drive Encryption, Gateway Email Encryption, Web Email Protection Secure Email Delivery, PDF Email Secure Email Delivery, Client\Policy Management
Symantec Encryption Desktop (SED - AKA PGP Desktop)
Features: Drive Encryption, File Share Encryption (Secure NTFS Folders\Shares), Email Encryption (POP/IMAP/MAPI), Virtual Disk Encryption, File Encryption (PGPZip), Secure File Shredding
Solution 2: Symantec Endpoint Encryption (SEE)
SEE Management Server (SEEMS) - Manages the SEE Clients and policy for the deployed endpoints
SEE Client (Managed by SEEMS)
Features: Helpdesk Recovery Portal for Drive Encryption, Drive Encryption, Removable Media Encryption
Both of the above encryption solutions that Symantec Enterprise Division offers will allow client management, but the management functionality is different here.
With the PGP product, the client is managed on a "per user" basis. This means that when the client is installed, a user is enrolled (either by the end user themselves, or invisibly depending on which option is chosen) and once enrollment is completed, the drive encryption process will start. The user exists on the server and the machine is associated with the user. When a Drive Encryption recovery key is needed, the Encryption Administrator will locate the user, and display the recovery key for the machine in question. The policy for the PGP clients is applicable to the user, and not the machine.
With Symantec Endpoint Encryption, the client is managed on a "per machine" basis. This means that when the client is installed, the machine itself can automatically start encrypting without any user intervention--in fact, once the SEE Client is installed, upon reboot, even if the user does not login to the system, encryption will start. Once the user logs in, the user is registered to the drive encryption piece and associated to the machine. When a Drive Encryption recovery key is needed, the Encryption Administrator will search for the machine (rather than the user), and display the recovery key for the machine. The SEE Client will always have a recovery key even if the SEE Client never connects to the server. All policy applied to the machine itself, not the user.
PGP Encryption Solutions
Symantec Encryption Management Server (SEMS) - This is the management server piece that will manage the encryption desktop clients on the PGP side.
Symantec Encryption Desktop (SED) - This is the client component that is installed on each endpoint and can perform all the features mentioned above in the introduction and will go over in more detail later on in this article.
PGP can run as a "standalone" product and all the features available can be used as a standalone client and does not require configuring a server to use this product. Although it is possible to manage the PGP client (SED) by the server, it is not necessary in order to obtain the installer and get started with encryption. In this way, if you need to encrypt only a few machines and do not need to manage any of the components with a server, PGP is likely the best choice. The standalone MSI file can be downloaded directly from the Broadcom Support Portal.
For the Drive Encryption component, if you install as a standalone client, the end user is in full control of their recovery key and will not be managed by the server. If you do need a server to manage the recovery key, you will use Symantec Encryption Management Server to manage this client, which provides you with limitless configuration possibilities, so using the client in a managed setting is typically the preferred option for enterprises.
All PGP Encryption products interop with any other encryption solution that uses OpenPGP. With Symantec Encryption, we invented the standard, so as long as other solutions that use OpenPGP do so using standard methods, PGP can interop with many other encryption solutions just fine.
Symantec Endpoint Encryption (SEE)
SEE Management Server (SEEMS)
SEE Client (Managed by SEEMS)
Symantec Endpoint Encryption requires the SEE Management Server as the SEE Client must be generated by the server itself. The reason for this is SEE embeds encryption keys into the client and is a completely unique installer for each deployment. Due to this unique client creation, SEE enjoys "Connectionless Recovery". Connectionless Recovery allows a system to be encrypted and even if the client never contacts the server, a recovery key can be generated for he clients. This makes the SEE client a very attractive option when it comes to Drive Encryption, something few encryption solutions offer.
The table below displays the major feature differences at a glance between the two encryption solutions, and we will explain in more detail the different features for each solution:
Symantec Encryption Desktop (PGP Heritage)
|Symantec Endpoint Encryption (SEE)|
|Symantec Encryption Management Server (SEMS)
Gateway Email Encryption, Secure Email Delivery with Web Email Protection and PDF Email Protection, Client Management, Helpdesk Recovery Portal for Drive Encryption
Symantec Endpoint Encryption Management Server (SEEMS)
|Drive Encryption (Boot/storage devices)||Disk Encryption (Boot devices)|
|Drive Encryption (Removable Devices, such as USB drives)||Removable Media Encryption (Removable Devices, such as USB, Bluray, etc.|
|Active Directory and Native Policy||Active Directory and SEE Native Policy|
|Built-in Website||IIS Web Server|
|Built-in Database||Local or Remote SQL Server Database|
|FileVault Management||FileVault Recovery|
|Help Desk Recovery Portal||Help Desk Recovery Portal|
|Virtual Disks||Bitlocker Recovery|
|Key Management (PGP/SMIME)||AWS/Azure Support|
|Email Encryption (MAPI/POP/IMAP)|
|File and Folder Encryption (Zipped Archives, or individual files)|
|File Share Encryption (NTFS/CIFS shares)|
|PGP Command Line (Automated File\Folder Encryption - Windows, Linux, AIX, HPUX, macOS)|
Both products support a server-client architecture. This enables server administrators to update policies, which the clients will receive when checking in with the server. PGP\SED fully supports standalone installations while SEE does not.
Endpoint Encryption: Symantec Endpoint Encryption (SEE)
Encryption Desktop: Whole Disk Encryption
Endpoint Encryption: Disk Encryption
Encryption Desktop: Disk Encryption
Endpoint Encryption: Removable Media Encryption (RME)
Encryption Desktop: Active Directory and Native Policy
Endpoint Encryption: Active Directory and Native Policy
Encryption Desktop: Built-in Website
Endpoint Encryption: IIS Web Server
Encryption Desktop: Built-in Database
Endpoint Encryption: SQL Server Database
Difference between SEE and PGP
Difference between PGP and SEE
Difference between endpoint encryption and PGP