search cancel

Encryption algorithms used by Symantec Encryption Desktop and Symantec Endpoint Encryption


Article ID: 180748


Updated On:


Symantec Products


This article outlines the Encryption algorithms used by Symantec Encryption Desktop and Symantec Endpoint Encryption.


Both Symantec Encryption Desktop 10.4.2 and above and Symantec Endpoint Encryption 11.2.x and above use at least AES256 using CBC as the default cipher for Drive Encryption, although AES128 is available if needed.  The hashing algorithm is SHA256.  

See the SED 10.5 Users guide for details on this.

The SEE Helpdesk page also discusses this.


PGP Encoding Methods
All of the PGP Encryption solutions use OpenPGP standards for encryption.  The encoding methods are PGP/MIME, PGP Partitioned, and PGP-EML.  This makes PGP Encryption solutions widely compatible with most other solutions that use PGP for maximum interoperability. 

Symantec Encryption Desktop (PGP Desktop) and PGP Command Line use PGP Keys and has the capability to use AES256 for encryption should the recipient support this.  SED will always encrypt to the preferred algorithms specified on the key for backwards compatibility.  For example, multiple encryption algorithms are available such as  AES, CAST, TripleDES, IDEA or Twofish with supported hashes of SHA-2-256, SHA-2-384, SHA-2-512, RIPEMD-160 or SHA-1.  

Keys Generated by Symantec Encryption Management Server (PGP Server)
Similar to all the attributes of PGP Keys for the Symantec Encryption Desktop and PGP Command Line Products, the PGP Server generates keys with all the capabilities of the highest algorithms available.
A key generated on the PGP Server by default will have all these attributes. 

In the screenshot below, a PGP Key was generated on the Symantec Encryption Management Server, and then imported into PGP Command Line to view all the key details and attributes (As of version 10.5):

As can be seen above, all the latest ciphers and hashes are available for PGP Key encryption by default.

Symantec Endpoint Encryption Removable Media Encryption uses AES256 with a 256-bit key.


Both Symantec Encryption Desktop 10 and Symantec Endpoint Encryption 11 are NIST certified, which comply with current NIST requirements including strong ciphers for encryption. See the following articles for information on this:

Symantec Encryption Desktop NIST Certification.

Symantec Endpoint Encryption NIST Certification


Symantec Encryption Desktop 10.4.2 and above also use AES256 for file encryption.


Additional information for Symantec Encryption Desktop and how to tell which algorithm is being used:

To find out which algorithm was used on a machine that was PGP Whole Disk encrypted, the pgpwde utility must be used via the command line.

First, navigate to the proper directory:

C:\Program Files\PGP Corporation\PGP Desktop>

If using a 64-bit operating system, the proper directory is:

C:\Program Files <x86>\PGP Corporation\PGP Desktop>

Then run the following command:

pgpwde --status --disk 0 --xml --passphrase "passphrase here".  The following output will appear:

<?xml version="1.0"?>
<pgpwde version="1.0">
      <currentkey valid="true" alg="9"/>
      <oldkey valid="false" alg="9"/>
        <sectors total="625137664"/>
        <watermark high="625137664"/>
      <lockout enabled="true"/>
      <failures max="7"/>
      <wdrt used="false"/>
  <version>10.1.2 (Build 50).50</version>
  <timestamp>Mon Nov 14 12:27:24 2011</timestamp>

The section "currentkey valid="true" alg="9"/>" lists 9 as the current algorithm.

Alg: 9 corresponds to AES-256.
Alg: 7 corresponds to AES-128.


Note: Older versions of SED used PlumbCFB so to take advantage of the current standards, ensure you are running the latest version of these encryption products.  SED 10.4 and above is recommended.  SEE 11.3.0 and above is recommended.

PGP Key Encryption

All of the above algorithms are generally talking about Drive Encryption technologies and there are other encryption and hashing algorithms used by PGP key for file and email encryption.

Symantec Encryption Desktop uses encryption and hashing algorithms that are considered safe and secure.  Not all third-party encryption software ensures this is done.  From time to time older encryption and hashing algorithms may be used by third-party vendors and this is typically due to using outdated software.  Symantec recommends always staying on the latest versions of software so that you continue to use safe and secure encryption and hashing algorithms.  When encryption incompatibilities occur, it's typically due to using these older algorithms.  We list the below algorithms for convenience for our latest version of Symantec Encryption Desktop 10.5:

Supported Ciphers
AES-256 (Recommended)
AES-192 (Recommended)
AES-128 (Recommended)

Supported Hashing Algorithms
SHA-2 (256 bits - Recommended)
SHA-2 (384 bits - Recommended)
SHA-2 (512 bits - Recommended)
SHA-1 (not enabled by default)
RIPEMD-160 (Not enabled by default, not recommended, but available for backward compatibility)
MD5 (Fully deprecated, but available for backward compatibility)

Note: It is never recommended to use DES or MD5 or below and 3DES is generally not recommended at this point. It is advised to disable these algorithms and hashes from the key properties to allow for best compatibility and security for current-generation Encryption products.


Symantec Endpoint Encryption Database:

Symantec Encryption solutions offer a vast array of encryption options.  One such option is for Drive Encryption where the entire hard drive is encrypted.  Recovery Keys are available in case a user is unable to unlock with their password.  Recovery Keys are stored in the database for Symantec Endpoint Encryption and this is done securely.  These recovery keys are stored encrypted at rest and can be viewed only via a proprietary operation available via the Helpdesk Recovery portal by Help Desk administrators specifically designated for access with proper authentication.   Strong, Best-of-Class encryption is being used with asymmetric key encryption that is unique to each SEE Management Server installation to ensure highest security when working with recovery scenarios.    For more information on the Helpdesk Recovery, see our online help file

Additional Information

Historical Information for EOS Symantec Endpoint Encryption 8.x:

Symantec Endpoint Encryption 8.x also used strong encryption strength to product endpoints data at rest.   Although this version is no longer supported, it continues to be a strong application to secure devices.  From the SEE 8.x Installation Guide:

Either 128-bit or 256-bit AES encryption strength was allowed for Drive Encryption.