Symantec PGP NetShare Sizing Considerations

Products

Symantec Products

Issue/Introduction

PGP NetShare uses PGP Keys for encryption, which are in turn encrypted to the session keys. When the PGP Key is unlocked, this in turn will unlock the session key and allow access to the NetShare encrypted data.

If encrypting to many PGP Keys, special considerations should be taken.

Resolution

If many users do need access, we recommend using the Group Key functionality, which can significantly reduce the amount of needed PGP Keys since the folders would only be encrypted to the Group Keys. In addition to this, it also reduces the administrative cost associated with making the share available to new users, as well as removing access for existing users.

For more information on Group Keys, please consult the following KBs:

PGP NetShare Group Key FAQ's
http://www.symantec.com/docs/HOWTO61299

How do I create a new Group with a Group key?
http://www.symantec.com/docs/HOWTO61277

How do I export a PGP NetShare Group Key?
http://www.symantec.com/docs/HOWTO61281

How do I delete a Group Key?
http://www.symantec.com/docs/HOWTO61279

How do I remove a Group Key from a Group?
http://www.symantec.com/docs/HOWTO61278

How do I revoke a Group Key?
http://www.symantec.com/docs/HOWTO61280

Applies To

The information needed to access a NetShare folder, is called the metadata. When a file is encrypted with PGP NetShare, the metadata, or a blob is added to the front o the file. The size of this blob will vary depending on how many keys are added to the NetShare protected file/folder and how large the PGP keys are.

This blob contains the information for PGP Keys and how to unlock the encrypted share. It may not be possible to state an exact number of keys because each key size can vary ranging from 1024 to 4096 bit size. In theory, the maximum number of keys possible will be somewhere around 1000 keys. The larger the key size, the smaller number of keys that can be used for encryption.

This meta data is in a header in front of each encrypted file. Because of this, you must take into account the size of this blob/metadata header. In theory, if a file was encrypted to 1000 keys, then about 1MB would be added to the front of the file.

Taking this example a bit further, however, if you had 1000 files, then in theory, about 1000 MBs extra is needed in order to encrypt the files. This is because all 1000 users would be accessing the 1000 files and the blob is added to each file. Of course, encrypting to 1000 users may be rare, it is theoretically possible so consideration in available hard drive space is needed.

In addition to this, if this same directory with 1000 files, also had 1000 folders in it, an additional 1000 MBs overhead would be needed because the blob is also added to each folder for authentication.

In total, 2000 MBs would be needed in this example, 1000 MBs for the files, and 1000 MBs to the folders.