Document encryption and security is a consideration for even the smallest business. While many applications such as Word provide a modicum of security via password protection of documents, such protection mechanisms are weak, and would be considered by a determined document thief as an inconvenience rather than a serious protection mechanism. ArticSoft's FileAssurity OpenPGP attempts to solve this problem by bringing strong, public-key-based protection to document storage and distribution. There are two components to the package: the main application itself, and a freely distributable ‘reader’ application that you can distribute with encrypted documents in order that the recipient can open and decrypt them. We ran both on Windows XP Pro machines for this review. Cryptic
The idea of PGP – or any public key encryption system for that matter – is that each party in an information exchange has a pair of difficult-to-guess ‘keys’, one ‘private’ and one ‘public’. Each key is a string of bytes, preferably randomly generated. As it sounds from the description, the ‘public’ key is made available to the world at large, and the ‘private’ one is kept secret. When someone wants to send you a document privately, he or she encrypts it using a well-known algorithm and your public key, and from this point on it can only be decrypted by someone who knows the private key. After document encryption, the second aspect of information exchange is authentication. If someone sends you a document, you need to be sure that it's from the person you think it's from, and so the concept of a ‘certificate of authenticity’ exists to make this possible. In a nutshell, the sender of a document registers its identity (with a central ‘certification authority’ for public Internet transmissions, or via any secure communication mechanism if transmissions are to be within a closed user group) along with its public and private keys, and this information is used to ensure that the sender is who he or she says they are. FileAssurity takes precisely this approach to sending documents. Before you can send a document to someone, you need to generate your public and private keys (the system actually makes them up for you) and tell the system your name, address and email details. Once you've done this, you can make your public key available to all and sundry, though you keep the private key to yourself. When you want to send a document, you'll need the public key of the person you're sending it to. Once you've obtained it, you tell the control panel to sign the document as yourself, and to address it to one or more of the people whose public keys you've imported into the package (when someone sends you their key, you just run it through the import wizard and it'll appear in the list that the encryptor gives you). The system will then grind away and produce a PGP-encrypted version that you can send out. When the recipient gets your document, they need two things. First, they need to have set up a private key (which they should already have done, as you needed their private key to encrypt it in the first place). Second, they need your public key and identification certificate so they can check that it really was you that sent the file. If you've registered your existence with a certification authority, the package should pick this up, and go fetch the information it needs over the Net, but for our test we simply passed the public key to the recipient on a floppy. Assuming everything's in order, the system checks that the key and sender information are correct, and that the file's not been changed since it was created, and then extracts it to wherever you choose. From this point on it's just a file, and you can use it as if it had never been encrypted. Although we've concentrated on the PGP bit of the package, it shouldn't be forgotten that the OpenPGP support is actually an extra feature on top of an existing document security product. So you also get features such as ‘hard deletion’ (where the system will overwrite a file several times in order to eradicate its existence) and the ability to select a file from within the FileAssurity window and have it emailed to someone as an attachment. The latter was distinctly underwhelming - it didn't seem to encrypt it before attaching it for instance (postscript: the company says this has been fixed for new version though we haven't yet tested it). This all said, though, the encryption and authentication stuff does appear to work acceptably, and is simple to use at both the sender and recipient end. The fact that the system uses a separate reader application makes it potentially more secure than simply sending all files as self-extracting archives. For the latter one can use things like MD5 signatures to verify that files haven't been changed in transit, and although the navigator isn't all that Windows-savvy (e.g. to find your desktop folder, you have to go grovelling in C:\Documents and Settings) at least you can drag-and-drop from Windows onto the application, so we'll forgive it that sin.

OUR VERDICT

ArticSoft is a bit cheaper than the ‘official’ PGP enterprise product for commercial entities. If you're a private individual or a not-for-profit entity, though, the alternative at www.pgp.com is free.