Updated August 16, 2005
In Part 1 of this review, I looked at the history behind PGP Corp., the PGP method of email and disk encryption, and provided a general overview of the PGP Universal gateway encryption product.
In this second and final part, I will focus on how the product actually functions, and will examine all of the different components of PGP Universal Series 500.
A PGP Universal server begins life in something called Learn Mode. Learn Mode consists of the server proxying mail and creating keys for users as usual, but not encrypting or signing any mail it sends. This allows a server to safely generate keys for users and show administrators how different mail would be encrypted if Learn Mode were not active. But it doesn't incur the nasty overhead of actually having to encrypt and sign messages while simultaneously generating keys for all of the users in the internal domain. Once enough keys have been generated, Learn Mode can be deactivated and encryption can begin.
While in Learn Mode, you are also able to set up and test policies for encrypting mail. Everything about PGP Universal's encryption system, such as who to encrypt mail to, what to do for recipients without a key and whether to use OpenPGP or S/MIME to encrypt messages, is controlled at the policy level. (Figure 1)
Figure 1: The mail encryption policy screen
(Click image for more detail)
I established a default policy that would apply to every domain that mail was sent to, and then established several contingencies and exceptions for messages. These exceptions could apply to both message subjects and recipient domains, and I established policies for both.
For the recipient domain, I specified foobar.net (our old friend Bob's domain) and specified that all mail being sent to this domain should be encrypted. For the message subject, I followed the reviewer's guide provided by PGP Corp. and specified "payroll" as the subject.
Setting up policies for message subjects seemed a little counter-intuitive, as it used the same interface as the recipient domain policy setup. Also, in order for message subjects to be considered for encryption the "Apply special policy to messages flagged as Confidential" option had to be selected.
Another thing that would have been nice is wildcard support for domains, which could be used, for example, to send only plaintext mail with no encryption options to top-level domains from countries where encryption is illegal.