Frequently Asked Questions

SafeHouse supports DES, triple DES, Blowfish, Twofish and Rijndael. Rijndael was recently selected by NIST to replace DES as the preferred algorithm to be used by federal agencies. Both Twofish and Rijndael are offered in 128- and 256-bit key strengths. Blowfish is available in a variety of strengths up to 448 bits.

A 128-bit key has 3.4 x 10³⁸ possible values. That’s 10²¹ times stronger than a 56-bit DES key. The famous “DES Cracker” machines built in the late 1990’s could recover a 56-bit key in a matter of hours. If this time could subsequently be reduced to one second (meaning trying 2⁵⁵ keys per second), then it would take that same machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit key. To put this into perspective, the universe is believed to be less than 20 billion years old. Of course, if you need something stronger, SafeHouse still has you covered; offering two 256-bit ciphers and another at 448-bits.

SafeHouse supports administrative recovery of encrypted data using public/private key technologies. Prior to mass deployment, corporate administrators may optionally embed a specialized public key into the distributable copy of SafeHouse. In the event of an emergency, administrative access to the encrypted data can be obtained by using the corresponding administrative private key.

Click here to see a list of important changes and improvements introduced in version 2.00.

SafeHouse v2.00 is fully-compatible with volumes created with earlier versions of the software. The converse is also true as long as the encrypted volumes do not use the new encryption algorithms or 32-bit FAT features introduced in version 2.

Recent changes to U.S. export laws with regard to strong encryption now allow products such as SafeHouse to be freely exported to 23 countries provided that the software publisher has obtained a special license. PC Dynamics has been granted the required license to export our maximum strength version. Please see our export policies page for further information and a list of qualifying countries.

SafeHouse encrypted volumes may be safely backed up to other drives or tape. To do this in a way that remains secure, you must unmap the volume and back up the large volume file. This is the only way your data will be stored in an encrypted format. If instead, you map your volume and instruct your backup utility to back up the Windows drive letter used by the volume, then the saved files will not be encrypted.

The Shareware software does not include the Twofish or Rijndael encryption algorithms. Although the Shareware version does include DES and Blowfish, both are internally limitted to 40-bit encryption keys. Finally, the Shareware version allows only a small number of predefined passwords to be used. The Shareware version is very suitable for testing out product features and evaluating the benefits of the software. The freely-distributable Shareware version is not designed nor intended to be suitable for safe storage of your sensitive files. You must install the standard retail version of SafeHouse to ensure the safety of your confidential information. By purposefully reducing the strength of the Shareware version, PC Dynamics is able to comply with U.S. export laws pertaining to freely-distributable encryption software.

SafeHouse supports almost all authentication tokens that comply with the X.9 standard. This generally includes devices manufactured by ActivCard, CryptoCard, Enigma and similar competing products. The Shareware version of SafeHouse can be used to test compatibility with a specific device.

SafeHouse volumes residing on a public network server may be accessed by multiple users at the same time only if all users map the volume in read-only mode.

SafeHouse volumes are fully-compatible with CDROMs, CDRW and many other removable media devices. For read-only media such as CDRs, you must first create the encrypted volume file on a hard drive and then burn the file onto a CDR.

SafeHouse includes a deployment tool which allows corporate administrators to set a variety of installation options and then repackage the standard SafeHouse distributable setup program. This makes it easy for administrators to deploy the product in a way that conforms to predefined policies, even when users are required to remotely download and install the product from an intranet or private web site.

SafeHouse does not encrypt your entire hard drive. To do so would impose a significant performance impact and introduce countless compatibility conflicts. Instead, SafeHouse uses encrypted volume files. Encrypted volume files are standard files created on your hard drive to serve as containers for senstive information. The "magic" within the SafeHouse device driver makes Windows believe you have an additional hard drive attached to your system. Anything you save to the new drive letter is magically encrypted and saved within the encrypted volume files.

No, SafeHouse never needs to decrypt files when they are in use. This is a dangerous concept used by some competing products which leaves your data in the clear if you have an unexpected system crash or loss of power.

SafeHouse uses a master key to encrypt files within an encrypted volume. Changing the password causes only the master key to be re-encrypted. There is no need to reprocess all the files.

Absolutely not! SafeHouse passwords exist only in your own head. Any storing of passwords on hard drives is a major security breach.

Yes, volumes can be sent as email attachments if they are kept to a reasonable size. The recipient must have SafeHouse installed and be told the password before being able to access the contained files.

When you use Microsoft Word to open a document residing in a SafeHouse volume, Word creates its temporary file in the same directory, which causes the temporary file to be automatically encrypted.

PGP is generally known for email message encryption, whereas SafeHouse is used for local storage encryption.

No, RSA encryption is not designed to be used for encrypting massive amounts of data. The algorithms included in SafeHouse are optimized for large block encryption and are much better suited for the job.

When you create a new SafeHouse volume (container file) an encryption key is randomly generated by the software and is associated with the volume. This is the key which is used to encrypt your data. It does not change for the life of the volume. Separately, you are asked to choose a password for your volume. The password is hashed into a bit stream using the respected MD5 algorithm which is then used to encrypt the random data encryption key. This two-step process has the same degree of security as using your password to directly encrypt your data; however, it has the additional advantage of making password changes fast and simple since it is no longer necessary to re-encrypt the entire volume each time you change your password.

When volumes are created the software generates a random data encryption key. In addition to any normal password processing that is performed, when administrative key recovery is enabled, the random data encryption key is encrypted using the administrator's public key. In the event of an emergency, the administrator's private key can used to decrypt the random data encryption key. This process is cryptographically safe due to the nature of public/private key algorithms.

SafeHouse administrators can change passwords, but they cannot view them. This is similar to how passwords are managed for NT servers. By taking this approach, administrators trying to sneak a peek at confidential files by using their administrative recovery key would be quickly exposed because they would need to pick a new password for the volume which would be immediately noticed by the volume's owner.

PC Dynamics has no ability to help you recover lost passwords. If we did, then the product would not be secure because our employees could be vulnerable to personal attacks and possibly put the safety of your data at risk. When passwords are lost, the only way SafeHouse volumes are recoverable is by using the administrative recovery feature which must have been enabled by a corporate administrator prior to deploying SafeHouse.

To help give you an idea of the relative speed differences between the various encryption algorithms included in SafeHouse, we ran some tests and published the results in the table below. For each test, a 3GB SafeHouse volume was created and mapped to a Windows drive letter on a Windows 2000 PC equipped with a Pentium III 667Mhz CPU and 512MB RAM. The hard drive was a Maxtor 40GB 7200 RPM drive using a transfer speed of 66MHZ. The test involved a drag-n-drop copy of a directory tree containing 500 files of various sizes, totalling just over 1GB. In all cases, the internal format of the SafeHouse volume was FAT32; however, please note that similar tests using NTFS show little difference in speed.

The SafeHouse software has been designed to facilitate fast integration of new encryption algorithms and authentication devices in response to customer demands. If you have a corporate or OEM application that would benefit from the SafeHouse encrypted volume technology yet requires special support for third-party software or hardware, please contact PC Dynamics to discuss your requirements.

PC Dynamics plans to release a version of SafeHouse in 2Q 2002 which is compatible with Pocket PC devices such as the Compaq iPaq and HP Jornada PDAs. It is currently anticipated that the volume files for the desktop and PDA versions of SafeHouse will be interchangeable. PC Dynamics has not yet announced its plans with regard to the PALM OS.