Encrypted, Secured and Battle-Tested: Lessons From a Decade in Encryption Trenches

• Mitigating risk and keeping up with compliance demands strong encryption strategies for securing data at rest.
• Symantec File Share Encryption, File Encryption and Drive Encryption each play a key role in protecting stored information.
• Certain common encryption mistakes can create security gaps—but are avoidable.

In the first installment of our two-part blog series, we unpacked how Broadcom’s Symantec Encryption Portfolio helps organizations protect data in motion, focusing on email encryption. We dove into Gateway Email Encryption, a server-based solution that secures messages using PGP keys, S/MIME certificates, password-protected PDFs and web portal access. We also examined Desktop Email Encryption, which delivers end-to-end and at-rest encryption for highly sensitive communications.

Now, we’re shifting gears to data at rest and how Broadcom’s encryption solutions protect stored information from unauthorized access. We’ll break down key products in the Symantec Encryption Portfolio, discuss real-world use cases and highlight common mistakes organizations make when securing their most sensitive data. 

Fortify data at rest in one suite

Attackers are always on the lookout for vulnerable data, and stored information on endpoints, file servers and databases are a prime target. That’s why the Symantec Encryption Portfolio provides comprehensive data protection for data at rest, in use and in motion through three key solutions: PGP® Encryption Suite, Gateway Email Encryption and PGP Command Line Encryption. 

In Part 1 of this blog series, we explored Gateway Email Encryption and Desktop Email Encryption, which is now part of the PGP Encryption Suite. This suite unites all the desktop encryption tools you need (previously licensed separately), including Desktop Email Encryption, File Share Encryption and Endpoint Encryption. Let’s take a closer look at how each work:

File Share Encryption

One of our portfolio’s hidden gems, File Share Encryption makes it easy to encrypt entire folders, including all files and subfolders. Once encrypted, authorized users with the decryption key can keep working as usual as encryption and decryption happen seamlessly in the background at runtime.

Unlike costly and complex dedicated server platforms, File Share Encryption works on shared folders hosted on virtually any server. While there is a slight performance overhead when opening and saving documents, it’s generally unnoticeable in practice.

Common deployment mistakes and how to avoid them

• Using individual user keys instead of group keys. Encrypting folders with individual user keys creates unnecessary complexity. A better approach is to use group keys, where access is managed by group membership. That way, all group members automatically gain access, eliminating the need for individual key management.
• Letting end users create protected folders. This may initially seem logical, but it quickly leads to unmanageable folder sprawl and lost access when users leave the organization. A more effective strategy is restricting folder creation and management to a dedicated admin group, while end users are only granted access to protected folders through group membership. 

File Encryption

While File Share Encryption secures entire folders, File Encryption encrypts individual files using PGP keys. This is one of the oldest forms of encryption (think Phil Zimmermann’s first program), but it remains highly relevant today. It’s especially useful for secure file exchanges with third parties and is often deployed when files are uploaded or downloaded via a file transfer gateway. Additionally, organizations use it to encrypt files transferred between internal systems, where security is a top priority.

Common pitfall: Lack of user education

Encryption is only as effective as the people using it. Employees—such as those in the finance department—are often suddenly required to use encryption without knowing the difference between public and private keys. Without proper training, they can quickly run into issues. 

Drive Encryption

No encryption suite is complete without drive encryption. Our Endpoint Encryption solution delivers robust protection with features like single sign-on, a comprehensive web-based management console and seamless integration with PIV (Personal Identity Verification) cards. Our solution also supports offline disk recovery for access even in challenging scenarios. We also provide removable media encryption at the file level for flexibility beyond full-disk encryption.

Common pitfall: Handling disk issues incorrectly

Though rare, disk corruption can occur, and one of the most common mistakes is immediately attempting to decrypt the entire drive. However, with our solution, authentication to the disk is often still possible, allowing users to retrieve important files before resorting to full decryption or hardware replacement. Understanding this approach can save time, reduce data loss and simplify recovery efforts.

PGP Command Line

While our Desktop Encryption product encrypts files, PGP Command Line is designed for high-volume, scripted encryption and decryption. But unlike our desktop solutions, it is a standalone command-line tool ideal for server-based encryption workflows on Windows, Linux and various Unix flavors.

Common pitfall: Not leveraging server-stored keys

One of the biggest mistakes I see customers make is overlooking the key security feature that sets PGP Command Line apart from open-source GnuPG—the ability to store private keys on the PGP server instead of locally. Like our desktop products, PGP Command Line can register with the PGP server, allowing the private key to remain securely stored on the server and accessed at runtime in the background. This eliminates the need to store passwords in scripts or manage local private keys, for a significantly more secure and streamlined encryption process.

Final thoughts

Having worked with these technologies for years, I’ve seen firsthand how the right encryption strategies can make or break an organization’s security posture. If your team needs help avoiding these pitfalls and implementing best practices in your deployment journey, reach out to your trusted local partner for expert support. 

But if you’re just starting your encryption journey, it’s time to go deeper. Check out the solution brief, Protecting Against the Assumed Breach, for a rundown of your encryption options.