Encryption algorithms used by Symantec Encryption Desktop and Symantec Endpoint Encryption

book

Article ID: 180748

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

This article outlines the Encryption algorithms used by Symantec Encryption Desktop and Symantec Endpoint Encryption.

Resolution

Both Symantec Encryption Desktop 10.4.2 and above and Symantec Endpoint Encryption 11.2.x and above use at least AES256 using CBC as the default cipher for Drive Encryption, although AES128 is available if needed.  The hashing algorithm is SHA256.  

See the SED 10.5 Users guide for details on this.

The SEE Helpdesk page also discusses this.

 

Symantec Encryption Desktop uses PGP Keys and has the capability to use AES256 for encryption should the recipient support this.  SED will always encrypt to the preferred algorithms specified on the key for backwards compatibility.  For example, multiple encryption algorithms are available such as  AES, CAST, TripleDES, IDEA or Twofish with supported hashes of SHA-2-256, SHA-2-384, SHA-2-512, RIPEMD-160 or SHA-1.  

 

Both Symantec Encryption Desktop 10 and Symantec Endpoint Encryption 11 are NIST certified, which comply with current NIST requirements including strong ciphers for encryption. See the following articles for information on this:

Symantec Encryption Desktop NIST Certification.

Symantec Endpoint Encryption NIST Certification

 

Symantec Encryption Desktop 10.4.2 and above also use AES256 for file encryption.

 

Additional information for Symantec Encryption Desktop and how to tell which algorithm is being used:

To find out which algorithm was used on a machine that was PGP Whole Disk encrypted, the pgpwde utility must be used via the command line.

First, navigate to the proper directory:

C:\Program Files\PGP Corporation\PGP Desktop>

If using a 64-bit operating system, the proper directory is:

C:\Program Files <x86>\PGP Corporation\PGP Desktop>


Then run the following command:

pgpwde --status --disk 0 --xml --passphrase "passphrase here".  The following output will appear:

<?xml version="1.0"?>
<pgpwde version="1.0">
  <diskstatus>
    <id>0</id>
    <instrumented>true</instrumented>
    <encryptionprocess>
      <running>false</running>
    </encryptionprocess>
    <sessionkeys>
      <currentkey valid="true" alg="9"/>
      <oldkey valid="false" alg="9"/>
    </sessionkeys>
    <volumes>
      <volume>
        <sectors total="625137664"/>
        <watermark high="625137664"/>
        <id>C</id>
      </volume>
    </volumes>
    <scheme>Partition</scheme>
    <auth>
      <lockout enabled="true"/>
      <failures max="7"/>
      <wdrt used="false"/>
    </auth>
  </diskstatus>
  <version>10.1.2 (Build 50).50</version>
  <timestamp>Mon Nov 14 12:27:24 2011</timestamp>
</pgpwde>


The section "currentkey valid="true" alg="9"/>" lists 9 as the current algorithm.

Alg: 9 corresponds to AES-256.
Alg: 7 corresponds to AES-128.

 

Note: Older versions of SED used PlumbCFB so to take advantage of the current standards, ensure you are running the latest version of these encryption products.  SED 10.4 and above is recommended.  SEE 11.3.0 and above is recommended.




PGP Key Encryption

All of the above algorithms are generally talking about Drive Encryption technologies and there are other encryption and hashing algorithms used by PGP key for file and email encryption.

Symantec Encryption Desktop uses encryption and hashing algorithms that are considered safe and secure.  Not all third-party encryption software ensures this is done.  From time to time older encryption and hashing algorithms may be used by third-party vendors and this is typically due to using outdated software.  Symantec recommends always staying on the latest versions of software so that you continue to use safe and secure encryption and hashing algorithms.  When encryption incompatibilities occur, it's typically due to using these older algorithms.  We list the below algorithms for convenience for our latest version of Symantec Encryption Desktop 10.5:

Supported Ciphers
AES-256 (Recommended)
AES-192 (Recommended)
AES-128 (Recommended)
TripleDES
CAST
IDEA
Twofish

Supported Hashing Algorithms
SHA-2 (256 bits - Recommended)
SHA-2 (384 bits - Recommended)
SHA-2 (512 bits - Recommended)
SHA-1 (not enabled by default)
RIPEMD-160 (Not enabled by default, not recommended, but available for backward compatibility)
MD5 (Fully deprecated, but available for backward compatibility)

Note: It is never recommended to use DES or MD5 or below and 3DES is generally not recommended at this point. It is advised to disable these algorithms and hashes from the key properties to allow for best compatibility and security for current-generation Encryption products.