Full-disk encryption (FDE) tools: A buyer's guide
A collection of articles that takes you from defining technology needs to purchasing options
This is part of a series on the top full disk encryption products and tools in the market. For more, check out our FDE product roundup.
Symantec Endpoint Encryption provides full disk encryption (FDE) capabilities for the internal hard drives of desktops, laptops and servers. FDE is the capability that ensures all hard drive data is encrypted so sensitive data stored thereon cannot be accessed by an attacker, so long as the desktop, laptop or server is powered off or (in the case of a laptop) is in a hibernate state. Symantec Endpoint Encryption also includes storage encryption for removable media, such as USB flash drives and external hard drives.
The Symantec Endpoint Encryption product was first released in October 2014, replacing the Symantec Drive Encryption product. Unlike some other vendors, Symantec makes a single version of its Endpoint Encryption software.
It is intended to be centrally managed via the Symantec Endpoint Encryption Management Server product, which must be hosted in an Active Directory domain.
Since Symantec Endpoint Encryption is a new product, it is only supported on relatively new Windows operating system (OS) versions, as follows: Microsoft Windows 8.1 Enterprise and Professional, Microsoft Windows 8 Enterprise and Professional, Microsoft Windows 7 Ultimate, Enterprise and Professional, Microsoft Windows Server 2012 Datacenter and Standard, and Microsoft Windows Server 2008 Enterprise and Standard.
Encryption and authentication support
Symantec Endpoint Encryption supports the use of the Advanced Encryption Standard (AES) encryption algorithm with either 128-bit keys or 256-bit keys. AES is a robust algorithm and, when used with the 256-bit key option, provides strong protection against current and emerging threats.
Being a brand new product, Symantec Endpoint Encryption has not yet been Federal Information Processing Standard (FIPS) 140-2-certified, but the validation process is in progress. FIPS 140-2 certification indicates that a product has been independently tested to determine if it has any significant known problems in its cryptographic implementation. Certification does not indicate that a product is foolproof, but rather that known weaknesses in its cryptography do not exist.
Multifactor authentication is supported by Symantec Endpoint Encryption, along with integration with Active Directory services. The FDE product can use cryptographic tokens and smart cards as forms of authentication in addition to passwords.
Symantec Endpoint Encryption offers self-service password recovery for users, as well as help desk-provided password recovery. Some organizations do not permit self-service because of the relative ease in compromising it through social engineering attacks. The help desk-provided option gives these enterprises another way of offering a recovery feature without the risk inherent in self-service.
Another helpful authentication feature that Symantec Endpoint Encryption offers is mitigation of brute-force authentication attacks, typically involving passwords. If there are too many failed authentication attempts in a row on a device -- with the number determined by the administrator -- the system can be configured to automatically add delays between each authentication attempt, thus slowing down an attacker. Or the system can be configured to lock out the user and require the user to use either the self-service password recovery feature or the help desk-provided recovery option to regain access to the system.
As mentioned above, Symantec Endpoint Encryption is designed for centralized management via the Symantec Endpoint Encryption Management Server product. This means it is intended for enterprise use and not for use by individuals or by smaller enterprises that do not practice centralized management.
Symantec sells copies of Symantec Endpoint Encryption through its website and through channel partners. As with other commercial FDE solutions, Symantec licenses its product by device (e.g., desktop, laptop, server).
Here is the retail pricing as of November 2014.
Symantec offers a free trial of Symantec Endpoint Encryption.
Symantec Endpoint Encryption provides FDE and removable media encryption capabilities for newer Windows systems, desktops, laptops and servers. It is not a viable enterprise-wide option for organizations running Mac OS X desktops and laptops, nor is it suitable for organizations running older versions of Windows on desktops, laptops and servers.
Symantec Endpoint Encryption’s authentication, encryption and centralized management capabilities are on par with competing commercial products. Because the product has its own dedicated management server, it does not matter in terms of integration whether the enterprise adopting it already has Symantec products installed. In other words, there is no advantage for existing Symantec customers as opposed to customers of other vendors.
Get more reviews of other full disk encryption products featured in this series: McAfee Complete Data Protection, Sophos SafeGuard, Microsoft BitLocker, Dell Data Protection | Encryption, Check Point Full Disk Encryption, DiskCryptor and Apple FileVault 2.
Expert Michele Chubirka discusses the differences between encryption and hashing for password storage.