15 Best Encryption Software & Tools for 2024

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Encryption software are security tools that obfuscate data to render it unreadable without a decryption key. Encryption protects data against unauthorized access or theft, yet the best tool to pick depends heavily on the use case and the solution’s fit with existing needs and resources. In my evaluation of tools, I selected three top solutions in five encryption categories: free file sharing, business file sharing, email, application layer, and end-to-end encryption.

The top encryption solutions are:

Top Free Encrypted File Sharing

  • 7-Zip: Best for worldwide use
  • GnuPG: Best for passwordless sharing
  • VeraCrypt: Best for ultra-private sharing

Top Business File Sharing Encryption

Top Email Encryption

Top Application Layer Encryption

Top End-to-End Encryption

Featured Partners: Cybersecurity Software

eSecurity Planet may receive a commission from merchants for referrals from this website

Top Encryption Software Comparison

The following table provides the type of data encrypted and the pricing for each top solution:

File & Folder EncryptionFull-Disk EncryptionEmail EncryptionApp Layer EncryptionMonthly Cost
7-Zip✔️Free
GnuPG✔️Free
VeraCrypt✔️Free
AxCrypt✔️$12/user
NordLocker✔️$29.99/2 TB
Trend Micro Endpoint Encryption✔️✔️• Perpetual License: $100/user
• Annual Renewal: $20/user
Cisco✔️$2.08/user
Paubox✔️ Standard $37.70/user
Plus: $76.70/user
Premium: $89.70/user
Proton MailFile sharing only✔️ Essentials: $7.99/user
Business: $12.99/user
Enterprise & Non-Profit: contact for custom quotes
Opaque✔️Contact for pricing
Thales✔️Contact for pricing
Vaultree✔️Contact for pricing
IBM Security GuardiumApplication Servers✔️Contact for pricing
OpenText VoltageFile sharing only✔️✔️Contact for pricing
VirtruFile sharing only✔️ Starter: $119/5 users
Business: $219/5 users

✔️=Yes ❌=No/Unclear 

Top Free Encrypted File Sharing Software

The top free encrypted file sharing software provide a solution to encrypt single files or folders for secure sharing with others. Small office and home office (SOHO) users or users with limited resources should choose one of these three free file sharing encryption tools: 7-Zip, GnuPG, or VeraCrypt.

7-Zip Best for Worldwide Encrypted Free File Sharing


7-Zip is a free file sharing tool that delivers strong encryption security with worldwide acceptance. It offers support for 89 different foreign languages and most major character sets. First released in 1999, the tool regularly updates to fix bugs, add features, or increase the number of supported languages.

  • Works for Windows, Linux, and macOS
  • Free and open-source file encryption
  • Widely supported .7z file format

Cons

  • No formal customer support options
  • No centralized management option
  • Weak passwords weaken encryption

7-Zip is open-source and available to download for free.

  • 89 languages: Supports the broadest range of languages and supports many different character sets (Arabic, Chinese Simplified or Traditional, Hebrew, Japanese, etc.).
  • AES-256 encryption: Uses industry standard symmetric encryption for 7z and ZIP formatted files when using the encryption option.
  • Command line version: Permits calling 7z.exe through the operating system command line or through command line scripts for automatable functionality.
  • Intuitive UX: Enables quick user adoption and ease of use for both technical and non-technical users of all levels of capability.
  • Self-extracting option: Provides capabilities to share encrypted containers to users without 7-Zip as an .exe file that can open itself with a user’s double-click.

I selected 7-Zip because I’ve used it in professional settings for over 15 years to share files with internationally based colleagues, including forensic engineers and other security-sensitive professionals. The tried-and-true track record and wide acceptance of this tool ensures minimal user error when sharing files across a spectrum of skills, operating systems, and languages.

7Zip encryption selection screenshot.

7-Zip provides excellent compression and simple encryption functionality, but for more complex encryption features consider VeraCrypt.

GnuPG Best for Passwordless Encrypted Free File Sharing


The GNU Privacy Guard (GnuPG or GPG) is a free file sharing tool that also provides a unique option to generate public encryption keys to share files without exchanging passwords. With a track record of nearly 30 years of use, the tool continues to be trusted, updated, and built into other commercially available tools.

  • Easy to install and simple menu options
  • Open-source tool with decades of testing
  • Supports elliptic curve cryptography

Cons

  • No formal customer support
  • Requires more technical skill to use
  • Some commands require the command line

GnuPG is a free, open-source tool that comes pre-installed on many Linux distributions and can be downloaded for macOS and PC.

I selected GnuPG because of the shared public encryption key option that enables passwordless secure file sharing. The tool, which comes pre-installed in most Linux distributions, also supports Windows and macOS to enable file sharing with a broad number of users. GnuPG implements the heavily-tested Open Pretty Good Privacy (OpenPGP) open-source encryption standard.

  • Combined encryption modes: Uses symmetric-key for speedy local file and drive encryption and asymmetric public-key cryptography for file sharing.
  • Compression options: Reduces file sizes for sharing and storage by applying compression algorithms and users can select between zip, zlib, or bzip2 formats.
  • Gnu privacy assistant: Stores and tracks users’ identities and public key components used in file sharing for encrypting and decrypting.
  • Multiple encryption options: Supports many different types of encryption algorithms (3DES, Blowfish, ECDH, RSA, etc.) as well as AES-256 (by default).
  • Supports major OS: Enables file sharing across platforms with Linux versions included in distributions, and macOS or Windows versions are also available for download.
GnuPG Privacy Assistant screenshot.

GnuPG provides very secure file exchange options but requires significant technical skill to use correctly. For an easier-to-use tool, consider 7-Zip.

VeraCrypt Best for Ultra-Private Free File Sharing


VeraCrypt is an open-source free file sharing encryption software with unique capabilities. One feature can obfuscate file types, which labels the encrypted file to appear to be a different file type. Another option uses two different passwords for an encrypted container to show different content depending upon the password used. Users with strong secrecy needs can combine features to hide data effectively even against potentially involuntary password disclosure.

  • Can hide encrypted data in plain sight
  • Encryption uses AES, Serpent, Twofish, more
  • Pre-boot full-drive authentication option

Cons

  • Open-source with no formal support
  • Clumsy file sharing options
  • Dated graphical user interface (GUI)

VeraCrypt is both open-source and available for free download.

I chose VeraCrypt because it offers unique privacy features that can be used by a large range of users on Windows, macOS, and Linux systems. Developed by the French security experts from Idrix, VeraCrypt forks off of the popular, but discontinued, open-source TrueCrypt encryption tool and continues to be developed and improved by Idrix and the VeraCrypt community.

  • File type obfuscation: Creates encrypted containers that can be named to appear to be any type of file (Ex: HomeMovie.mov) to hide the encrypted data from casual detection.
  • Flexible deployment: Offers full or partial drive encryption for USB flash, external, and internal hard drives with transparent, on-the-fly automatic encryption.
  • Hidden volumes: Uses different passwords for extra security where one password decrypts all contents and an alternative password only reveals some of the contents.
  • Nested encryption: Nests virtual containers within other encrypted containers, each with their own passwords and folder and file contents.
  • Speedy encryption: Applies parallelization and pipelining that allow data to be read and written as fast as unencrypted drives and also provides hardware-accelerated options.
VeraCrypt volume password screenshot.

VeraCrypt provides extremely private encryption options, but still requires passwords. For a passwordless option, consider GnuPG.

Top Business File Sharing Encryption Software

The best business file sharing encryption software delivers centralized control and additional features required for more professional network security, which are unavailable from free solutions. The top three options include AxCrypt, NordLocker, and Trend Micro Endpoint Encryption.

AxCrypt Best for Simplified Business File Sharing


AxCrypt is a local file encryption and sharing tool that provides simplified administrator management of encryption master keys and subscription licenses. The tool supports laptops and desktops using Windows or macOS as well as iOS or Android mobile devices. AxCrypt encrypts local vaults on the devices or specific files and folders for sharing.

  • Supports WIndows, macOS, iOS, Android
  • Full 30-day free trial
  • Dedicated business account support

Cons

  • Doesn’t support Linux endpoints
  • Only centralizes master key and licensing
  • Default doesn’t encrypt sub-folders
  • Business: $12 per month per user
  • Annual discount: 20% discount for annual payments
  • Free trial: 30 days

I chose AxCrypt based on high customer satisfaction ratings, ease of deployment, and its basic functionality to provide local drive and shared file encryption. Admins will appreciate the simple administration that pushes more tedious file management tasks to end users.

  • Anonymous file names: Replaces encrypted folders and files entirely and replaces all names with encrypted versions for further obfuscation.
  • Encrypted file sharing options: Separates file and key sharing for options to share files through email or the company’s cloud storage (Box, Google Drive, OneDrive, etc.).
  • Master key: Provides business account manager with a master encryption key to enable recovery of passwords lost by users for drives, folders, or files.
  • Outside sharing: Enables sharing without distributing encryption keys through self-opening file formats, or recipients can use the free version of AxCrypt for file access.
  • Password management: Incorporates a password generator and manager to protect encrypted file passwords and maintain password strength.
AxCrypt Master Key screenshot.

AxCrypt provides simple management, but can’t enforce endpoint encryption or encryption use by individual users. For more enforcement, consider Trend Micro’s Endpoint Encryption.

NordLocker Best for Cloud-Based Business File Sharing


NordLocker is a business file sharing encryption tool that deploys a software-as-a-service (SaaS) solution for businesses allowed to use cloud-hosted file sharing platforms. The management console enforces policy and provides recovery options for forgotten passwords. NordLocker synchronizes cloud vaults with designated user vaults, which makes it a good choice for small businesses that want quick deployment and centralized control.

  • Simple and easy-to-understand pricing
  • Centralized management of encryption keys
  • Minimal slowdown for encrypted folders

Cons

  • Doesn’t support full control over file storage
  • Users complain of lost files, slow uploads
  • Shared files must be cloud hosted
  • Business: $29.99 per month for 2TB of cloud storage
  • Custom pricing: Available for additional storage needs
  • Free trial: 14 days

I find that NordLocker provides the typical turnkey experience expected from the Nord family of products that also includes NordVPN, NordLayer, and NordPass. Users can maintain separate local-only encrypted vaults unlimited in size or share files through designated cloud-sync folders. Administrators can manage encryption keys in the cloud for improved control, security, and recovery capabilities.

  • Browser accessible: Enables access through web browsers for sharing files outside of the organization or to support Linux devices.
  • Drag and drop: Automates local encryption and cloud synchronization seamlessly on the fly with a transparent and fast experience for end users.
  • Management-free cloud storage: Provides cloud storage managed and backed up by NordLocker with automated updates and no maintenance required.
  • Secure file sharing: Synchronizes internal business files for group sharing with delete, write, or read-only permissions as well as link and security code pairs for outside users.
  • Unlimited local locker encryption: Charges based on the amount of cloud storage without limiting the number of users or the amount of encrypted storage on endpoints.
NordLocker shared folder screenshot.

Sharing files through NordLocker requires placing the files into the cloud environment controlled by NordLocker. For more control over how to share files, consider AxCrypt.

Trend Micro Endpoint Encryption Best for Managed Business File Sharing


Trend Micro Endpoint Encryption is a full-disk encryption tool that can also provide secure business file sharing. It deploys as an agent to deliver enterprise-wide, centrally managed, and fully enforceable full disk, file, folder, and removable media encryption. Admins can deploy agents to both company and user-owned devices to meet formal encryption and compliance reporting requirements.

  • Remote lock and kill for lost or stolen devices
  • Extends coverage to user-owned devices
  • Pre-boot encryption without a performance hit

Cons

  • Doesn’t support servers, linux, mobile
  • Requires an additional agent installation
  • Opaque pricing compared to competitors
  • Perpetual license: $100/user (estimated); contact Trend Micro or resellers for quotes
  • Annual renewal: $20/user (estimated); maintenance fee for updates and upgrades
  • Discounts: License bundles and volume discounts are available
  • Free trial: 30 days

I selected Trend Micro’s Endpoint Encryption solution because it enables centralized management control and can enforce compliance requirements such as full drive encryption and secure file sharing. Users can’t evade encryption or expose the business to unnecessary risk for the sake of convenience. The solution supports common PC and macOS devices and extends encryption functions to USB flash or portable hard drives.

  • Broad encryption options: Encrypts full volumes, files, and file folders and manages self-encrypting TCG OPAL or OPAL 2 SED drives.
  • Centralized management: Consolidates user management for endpoint protection, encryption, and other Trend Micro security products in a separately licensed console.
  • Encryption management: Pushes a dedicated agent to enforce endpoint policies through BitLocker (WIndows) and FileVault 2 (macOS) built into the operating systems.
  • Real-time compliance: Enforces compliance requirements immediately and provides detailed compliance audits or reports by user, organizational unit, or device.
  • Transparent key management: Enables easy key encryption management and account recovery for both users and administrators.
Endpoint Encryption administrator device monitoring screenshot.

Trend Micro enforces strong encryption, but agent and management console installation can be burdensome. For faster deployment and simplified management, consider NordVault.

Top Email Encryption Software

The top email encryption software provide secure email, seamless integrated experiences for users, and centralized reporting and control. The top general email products, Microsoft 365 and Google Mail, offer encryption options that fail to encrypt email sent to incompatible mail servers. To satisfy secrecy or compliance requirements without investing in a secure gateway, consider an email encryption tool from Cisco Secure Email, Paubox Email Suite, or Proton Mail.

Cisco Secure Email Encryption Service Best for Microsoft Email Encryption


Cisco’s Secure Email Encryption Service provides a quick, easy, and inexpensive plug-in solution for the many users that rely on Microsoft Outlook and 365 email. It uses registered envelopes and a Cisco-hosted temporary vault to ensure that only the correct recipient receives both the message and the decryption key needed to read the encrypted message.

  • One-click email encryption
  • Multiple secure delivery methods
  • Admin reporting for compliance and tracking

Cons

  • Users must remember to encrypt email
  • Only supports Outlook and Microsoft 365
  • Reporting requires a separate plug-in

Some resellers list Cisco’s Secure Email Encryption Service at around $25 per user per year. However, Cisco doesn’t publish pricing, so contact Cisco or resellers for formal quotes.

I selected Cisco’s Secure Email Encryption Service because it delivers an easy solution for email encryption needs that users will immediately trust thanks to the Cisco brand name. The service uses a segregated email service that quickly integrates to users’ email accounts for minimal disruption. It’s available as a standalone service or an integrated feature of Cisco Secure Email gateways.

  • Easy to use: Provides senders and recipients with encrypted messages without any additional software, hardware, or new application installed at the endpoint.
  • Enhanced email controls: Allows emails to be recalled, to set expiration dates, receive receipts, and to allow or deny Forward, Reply, Reply-All options.
  • OS independent: Works in all browsers and is compatible with all devices that can access email, such as desktops, servers, and mobile devices.
  • Secure email recall: Changes the data expiration date for encrypted messages to immediately expire and render the message unreadable.
  • Two-step verification: Ensures the correct delivery by requiring recipients to register and authenticate identity in order to receive and open the encrypted email.
Cisco secure email recipient screenshot.

Cisco provides a good solution for Microsoft users, but doesn’t support Gmail. For a HIPAA-compliance-focused product with Gmail support, consider Paubox Email Suite.

Paubox Email Suite Best for HIPAA-Compliant Email Encryption


The Paubox Email Suite is an email encryption tool optimized for compliance with the United States’ HIPAA regulations to protect healthcare information from unauthorized access. Although the Standard option provides effective email encryption, the Plus and Premium licenses add additional features such as geofencing, spam filtering, malware protection, data loss prevention (DLP), and voicemail transcription.

  • Read encrypted emails directly from inboxes
  • HIPAA-compliant calendar invites
  • Real-time analytics and reporting

Cons

  • Radically different user and admin dashboard
  • Focused primarily on USA’s HIPAA needs
  • Doesn’t protect downloaded attachments
  • Standard: $37.70 per user per month
  • Plus: $76.70 per user per month, adds inbound email security features
  • Premium: $89.70 per user per month, adds DLP and voicemail transcription
  • Usage minimum: Minimum of 5 users
  • Discounts: 30% annual payment discount and volume discounts are available

I chose Paubox for this list because it supports all major business email platforms, implements quickly, and delivers important security and encryption functions even with the lowest level license. More than 5,000 customers trust the solution and send more than 99 million emails monthly.

  • Automated encryption: Requires no user training because all emails are encrypted by default without any passwords to memorize or track.
  • Built for HIPAA requirements: Includes business associate agreements, HITRUST CSF certified, US-only data centers, and all accounts require two-factor authentication.
  • Maximized deliverability: Updates key email domain authentication protocol records (SPF, DKIM, and DMARC) for all account levels to minimize spam folder deliveries.
  • Quick installation: Provides step-by-step instructions and integration support for website forms and backstage areas of the domain.
  • Seamless integration: Connects to existing Microsoft Windows Exchange, Microsoft 365, and Google Workspace email platforms without any user software or plug-ins.
Paubox admin mail activity screenshot.

Paubox delivers a focused solution for HIPAA compliance for specific users, but for a broader solution for an entire team or domain, consider Proton Mail.

Proton Mail Best for Full-Domain Email Encryption


Proton Mail is an encrypted email solution to secure an entire email domain or company. The business license for this Swiss-based vendor bundles secure email, privacy, calendar, and VPN solutions to enable additional options for secure access and encrypted file sharing.

  • More than 10,000 business use Protonmail
  • Mobile Apps available for iOS and Android
  • Open source and independently audited

Cons

  • Requires full email service migration
  • No telephone support options
  • No user logs: good privacy, bad for security
  • Mail essentials: $7.99 per user per month, includes 10 email addresses, a VPN connection, and 15 GB of encrypted storage per user plus three email domains
  • Business: $12.99 per user per month, includes 15 email addresses, 10 VPN connections, and 500 GB per user plus 10 email domains and Hide My Email aliases
  • Enterprise and nonprofits: Contact Proton Mail for custom quotes and services
  • Discounts: Annual and multi-year pre-pay discounts are available

I selected Proton Mail for its privacy reputation and focus on a comprehensive encryption solution. Although founded in 2014 through crowdfunding by 10,000 individuals, the centralized management will satisfy most business needs even for the Mail Essentials license. The Business and Enterprise licenses deliver even more value with enterprise level features such as custom DNS, integrated two-factor authentication, and dedicated account managers.

  • Advanced sharing security: Deploys end-to-end encryption for internal emails and provides external emails with options for password protection and link expiration dates.
  • Bundled value: Combines Mail, Calendar, Drive, and VPN services and all accounts have contact groups management, calendar sharing, unlimited folders, labels, and filters.
  • Business friendly: Provides bulk user upload, HIPAA- and GDPR-compliant encryption, and a Business Admin Panel to easily manage employees and services.
  • Email management: Provides advanced filters for email sorting and prioritization, and third-party mail app integration for Outlook, Apple Mail and Thunderbird.
  • Secrecy focus: Automated encryption, based in Switzerland with strict privacy laws, and supports access from the anonymous Tor network.
Proton Mail admin screenshot.

Proton Mail requires full email service migration for users. For minimal user email disruption, consider single-user accounts using the Cisco Secure Email Encryption Service plug-in.

Top Application Layer Encryption (ALE) Software

The best application layer encryption (ALE) solutions encrypt application data to protect the modern app environment against breaches from exposed containers, web servers, database servers, and third-party services (shopping carts, credit card processing, etc.). The top ALE solutions to consider include Opaque Systems, Thales CipherTrust, and Vaultree.

Opaque Gateway Best ALE for Multi-Party AI Collaboration


Opaque Systems’ Gateway provides a novel ALE solution through encryption defense in depth. The solution delivers a platform to share encrypted data collaboratively that starts with hardware enclaves that segregate encrypted data in memory, even from the operating system or the hypervisor. It then adds additional layers of encryption unique to each party for collaborative calculations and analysis of sensitive data without sharing the data itself.

  • Securely shares data from diverse sources
  • Cloud architecture sales and deploys quickly
  • Protects against data leaks and insider threat

Cons

  • Not suitable for all ALE needs
  • Service solution, doesn’t install locally
  • No licensing or pricing information published

Opaque doesn’t disclose pricing publicly, so contact them for a quote.

Opaque Systems earns my selection by providing a unique solution to enable secure and consolidated artificial intelligence (AI) analysis on segregated data sets. Different companies can mix data or a company can mix data from multiple regulated sources (EU, California, etc.) with the fully encrypted data protected against leak or commingled data risks.

  • Encrypted processing: Applies AI and machine learning (ML) analysis on encrypted data kept protected for the entire process.
  • Policy Enforcement: Builds in policy enforcement capabilities to support compliance requirements for internal or external data sharing and usage.
  • Multi-tiered security: Deploys hardware segregation and encryption across enclave clusters, segregated virtual machines, and customer-controlled encryption.
  • Multiple ML options: Supports classic learning models (linear regression, logistic regression, etc.) and advanced models such as gradient-boosted decision trees.
  • Secure sharing: Enables secure inter- and intra-company collaboration and analytics in which results, but not the sensitive data itself, can be shared for AI analysis.
Illustration of Opaque Systems encrypted intermediary process.

Opaque provides very focused encryption for sharing data for AI analysis, but for a more comprehensive solution for application encryption, consider Thales CipherTrust.

Thales CipherTrust Best ALE for In-House App Data Encryption


The Thales CipherTrust Data Security Platform is an ALE solution that not only encrypts databases, but also tokenizes data inside the application and enables encryption key management. These capabilities extend encryption coverage further along data flows between apps, databases, and storage for more complete security. Customers can purchase components individually for partial solutions or purchase pre-packaged or cloud-services bundles.

  • Secures cloud and big data environments
  • Developer-friendly APIs
  • FIPS 140-2 Level 1 certified

Cons

  • Requires multiple licenses and products
  • Easy to misconfigure due to complexity
  • Unclear pricing and licensing requirements
  • Component licensing: Requires multiple product licenses or appliance purchases
  • Pricing: Contact Thales for formal quotes for hardware, software and service prices

I picked the Thales solution because it provides flexible options for fully controlled application security throughout the development and deployment process. Their ALE platform combines Vormetric Application Encryption technology with the SafeNet ProtectApp solution with centralized management and software development and operations (DevOps) integration.

  • Centralized encryption management: Enables automated key management, encrypted databases, or application data and integrates with third-party solutions.
  • DevOps encryption options: Deploy symmetric keys on software development kit (SDK) servers or RESTful APIs to a tokenization server or security manager. 
  • Flexible deployment: Delivers individually licensed component physical and virtual solutions for key management or cloud hosted data protection on demand.
  • Fine-grained control: Enforces detailed authorization levels for encryption key access and use for both human and virtual users (applications, APIs).
  • Fully-controlled solution: Provides appliance and software solutions to integrate into a customer’s cloud, local, or hybrid data center.
CipherTrust Manager appliance admin screenshot.

Thales CipherTrust provides a comprehensive solution, but requires multiple tools to license, install, and integrate. For a more simple encryption-as-a-service option, consider Vaultree.

Vaultree Best ALE for Fully-Encrypted Database Queries


Vaultree encrypts data for storage in databases and then encrypts future queries as well to perform encrypted searching. The Vaultree software development kit (SDK) provides plug-and-play encryption for any database client.

  • Once encrypted, never decrypted
  • Programming language agnostic
  • Proprietary encryption algorithms

Cons

  • Doesn’t provide broader app encryption
  • Not available for in-house deployment
  • Unclear licensing and pricing
  • Pricing: Contact Vaultree for a quote
  • Demo: Free demonstrations are available

I selected Valutree for its fully homomorphic data encryption and query capabilities as well as its focus on the delivery of a very specific service (encrypted queries). This makes their solution easier to understand to quickly determine fit for specialized database search needs.

  • Full customer control: Provides infrastructure for conversion and storage of encrypted data, but customers control cipher options and key management.
  • Fully encrypted: Converts plain text to encrypted queries using an app on the user’s machine, which then processes or stores on fully encrypted Valutree databases.
  • GDPR exempt: Encrypts data fully from the database to the user so breaches would contain encrypted data, which qualifies for breach disclosure exemption under GDPR.
  • Quick deployment: Requires a lightweight local SDK Driver and a Valutree database; no required changes to data access codes, app programming, network topography, etc.
  • Slim infrastructure: Reduces storage overhead, processing power, and time because of the far more efficient encryption processes.
Vaultree homomorphic encryption compared to tokenization.

Valutree delivers fully encrypted database queries, but doesn’t solve other potential application encryption needs. For a broader app encryption solution, consider Thales CipherTrust.

Top End-to-End Encryption Solutions

The top end-to-end encryption solutions not only protect data at rest, through transit, and even during use, they also provide centralized management, encryption key management, and security tool integrations. These top multifaceted solutions include IBM Security Guardium, OpenText Voltage, and Virtru.

IBM Security Guardium Encryption Best for End-to-End App Data Encryption


IBM’s Security Guardium Encryption suite provides end-to-end protection for application data across servers, applications, databases, and containers as well as options to manage encryption keys. These tools combine to fully encapsulate application data at rest, in motion, during analytics, and upon receipt from websites. They also integrate with other IBM enterprise offerings such as certificate management and data security solutions.

  • Encrypts data at rest and in use
  • Wizard-assisted and expedited deployment
  • Detailed logging of data access

Cons

  • Requires multiple licenses and installations
  • Data classification lacks incremental reporting
  • Lacks transparent pricing
  • General pricing: Contact IBM for a quote
  • Pricing unit metric: Varies by solution required
    • Database encryption: Number of protected server nodes
    • Tokenization: Number of applications
    • Application encryption: Number of applications
    • Container data encryption: Number of virtual servers hosting containers
    • Key management: Number of connected instances (cloud, KMIP, TDE, MS)
    • Batch data transformation: One-time license fee

I chose IBM Security Guardium Encryption because of the tool’s industry reputation and comprehensive capabilities to protect application data in multiple use cases. The solution not only encrypts data within the application layer, but also provides options for integrated application infrastructure encryption (containers, servers, etc.). IBM’s research into fully homomorphic encryption adds further credibility to the company’s existing brand strength.

  • Centralized consistency: Enables centralized control and encryption management across local, cloud, hybrid, and multi-cloud data center environments.
  • Encryption key lifecycle management: Automates and manages full key lifecycle support from initialization, generation, and activation to rotation and deletion.
  • Obfuscation options: Offers options to tokenize or mask app data, or individually or batch encrypt data, files, databases, or containers.
  • Segregated access: Creates segregated admin and user duties based upon levels of security, domains, groups, devices, and more.
  • User-informed encryption levels: Incorporates Active Directory (AD) and other lightweight directory access protocol (LDAP) tools to manage user and group access.
IBM Security Guardium client encryption setup screenshot.

IBM Security Guardium Encryption protects applications, but won’t cover file sharing or user endpoint encryption. For a more comprehensive solution, consider OpenText Voltage.

OpenText Voltage Best for End-to-End Self-Hosted Encryption


The OpenText Voltage end-to-end encryption solution encompasses a full range of enterprise needs such as file encryption, encrypted email, mobile encryption, secure file collaboration, PCI payment encryption, key management, and more. OpenText provides flexible licensing options and customers can deploy the software locally, in the cloud, or in hybrid environments.

  • Deploys format preserving encryption
  • Easy-to-create policies by users and group
  • FIPS 140-2 and Common Criteria validated

Cons

  • Complex licensing and opaque pricing
  • Encrypted emails difficult to read on mobile
  • Many different tools complicate installation
  • Pricing: Contact OpenText for a quote
  • License metric: Varies by product and includes event or data volume, named app, etc.
  • License options: Perpetual, subscription, and SaaS
  • Discounts: Multi-year and license bundle discounts are available

I picked OpenText Voltage because its many different encryption solutions will protect the widest range of enterprise needs. Each solution integrates with each other and third-party tools for enterprise-friendly centralized control, policy consistency, and consolidated reporting to existing security tools. OpenText Voltage was formerly known as Micro Focus Voltage or HPE Voltage.

  • Agnostic protection: Deploys platform, application, and OS independent file protection even for email or file sharing platforms (OneDrive, Box, etc.) file sharing.
  • Encrypted in-use: Applies format-preserving encryption and data masking for analytics, indexing, and search, as well as applies tokenization of data for web browser form entry.
  • Flexible deployment: Installs to on-premises, cloud, or hybrid hosted environments and works seamlessly with Office 365, BlackBerry Enterprise Server, and more.
  • Real-time information: Provides monitoring, alerts, integrates with security information and event management (SIEM), and generates reports of sensitive files and data.
  • Smart Cipher encryption: Encases files in embedded policies that analyze content during creation, encrypt automatically based on policy, and travels with the file.
Voltage structured data risk analysis screenshot.

OpenText Voltage covers enterprise needs end-to-end, but many will struggle to price and manage the complex solution. For clear pricing and less complexity, consider Virtru.

Virtru Best for End-to-End Zero-Trust Access Governance


The Virtru end-to-end encryption solution provides transparent pricing and zero-trust access by wrapping data with trusted data format (TDF) format files. TDF files granularly track permissions, expirations, and revocations as well as remain fully encrypted to provide end-to-end access governance even after delivery.

  • Simple and transparent pricing
  • Supports encrypted search
  • End-to-end file sharing and email protection

Cons

  • Virtru emails can be flagged as SPAM
  • No application layer encryption protection
  • Email body images convert to attachments
  • Starter: Starts at $119 per month, includes 5 users, billed annually for Gmail and Outlook
  • Business: Starts at $219 per month, includes 5 users, billed annually and adds secure file sharing, single-sign-on (SSO) support, and more
  • Custom: Contact the vendor for a quote for more than 50 users

I selected Virtru because of its transparent pricing, encryption capabilities, and compliance reporting support. Founded in 2011, the solution builds on TDF standard developed by Virtru co-founder Will Ackerly and currently serves over 6,700 customers. Unlike simple file sharing and email encryption solutions, Virtru automatically encrypts without a hosted portal requirement, enables self-hosted solutions, and provides encryption key management solutions.

  • Advanced options: Customizes security, usability, and security settings such as DLP policy protection, actionable intelligence, identity management, company-branded logos.
  • Built-in data control: Provides data loss protection (DLP) even if data is shared, and users can pull back emails after sending by revoking access permissions at any time.
  • Centralized management: Enables policy setup, access controls, and optional key management through the cloud-hosted Control Center for administrators.
  • Compliance friendly: Supports policies and reporting to conform to a variety of standards such as GDPR, HIPAA, FedRAMP, ITAR, and more.
  • Integration options: Connects to platforms and tools such as Google workspace, Zendesk, Salesforce, SIEM, and security orchestration, automation & response (SOAR).
Virtru email rules admin screenshot.

Virtru enables secure file sharing, but doesn’t protect application data. To provide end-to-end protection for application data, consider IBM Security Guardium Encryption.

Quantum Encryption Solutions

Despite some availability, quantum chips suffer errors and stability issues, so encryption cracking with quantum computers remains a few technology generations away. However, many organizations with high security concerns look to develop quantum-safe cryptography ASAP in preparation for this eventuality. 

The US National Institute of Standards and Technology (NIST) approved quantum-safe cryptographic algorithms, and other research informs the following initial quantum resistant encryption solutions:

For those unwilling to become an early adopter, current encryption standards can remain quantum-resistant through larger key size use, layers of encryption, and careful encryption key management.

How to Choose the Best Encryption Software for Your Business

The top benefit for all encryption is that the software scrambles data to render breached information unreadable. However, encryption tools focus on specific types of data and different tools offer different levels of protection, compliance support, integration complexity, maintenance, and control.

The best encryption software will maximize the pros (improved security and decreased breach damages) as well as minimize the cons (slower performance and increased resource drain). Fortunately, the four-phased process to identify, match, compare, and test potential solutions provides an effective guide to identify the best encryption software for your business needs.

1. Identify True Encryption Needs & Minimum Requirements

The first step requires an internal needs assessment to determine the requirements that any potential encryption solution must meet.

  • Key data: Examine and classify the data that requires protection, locate data storage, track data transmission channels, and determine what or who accesses key data.
  • Systems: Check for opportunities to enhance encryption in key-data-related systems such as encrypting the storage drives that host sensitive databases.
  • Compliance regulations: Compare data against potential regulations (privacy, payment information, etc.) and determine required encryption, tests, and reports.
  • Organizational needs: Consider that minimum compliance requirements (ex: AES-128) might not meet internal risk reduction needs compared to stronger encryption.
  • Technical resources: Examine internal resources realistically to determine the available bandwidth, skills, and infrastructure limitations into which a solution must fit.

2. Match Encryption Candidates Against Identified Needs

After internal need identification, check the potential solutions in the market to determine what encryption tools satisfy the requirements.

  • Encryption category: Select a solution that fits the identified data, system, compliance regulations, and corporate needs (file encryption for files, etc.).
  • Encryption requirements: Choose encryption solutions that match minimum requirements and provide options for even stronger encryption algorithms or techniques.
  • Reporting requirements: Examine reporting options to check if the solution can adequately detect usage or produce documentation to satisfy compliance requirements.
  • Technical resources: Contrast the tool requirements against the bandwidth and technical capabilities of internal teams and service provider partners.
  • Financial resources: Compare initial and ongoing licensing costs, expected labor costs, and any potential additional infrastructure costs against expected budgets.

3. Compare Encryption Solutions That Matched Requirements

A good number of tools should match the requirements, so the next step is to compare these solutions against each other to create a ranked list of contenders.

  • Adoption requirements: Estimate installation, integration, and deployment requirements for time, difficulty, technical level, and expense.
  • Maintenance requirements: Investigate the components to maintain, internal resources needed, update trends, and what will be maintained by the vendor.
  • User experience: Examine the user installation and use experience and then check against the user base technical level and tolerance for process changes.
  • Non-essential options: List the options and features above minimum requirements that may improve security or admin and user experience.
  • Resource demands: Total the adoption, maintenance, and licensing financial costs and time demands.

4. Test the Top-Ranked Encryption Solutions

A comparison yields a short list of contending encryption solutions, so now comes the test drive to see if the theory matches the actual performance.

  • Admin experience: Verify that the level of complexity to manage users, enforce encryption, and manage encryption keys matches expectations and requirements.
  • User experience: Confirm that users can easily adopt the new encryption tool and check to ensure users can’t easily evade the tool.
  • Performance hit: Install the solution on typical user and infrastructure systems to verify minimal or at least acceptable system resource slowdown.
  • Customer service: Check that the help a vendor can provide in case of trouble matches the needs and expectations of the users and admin team.
  • Security stack fit: Verify that the encryption solution can integrate with the existing security stack for protection, monitoring, and reporting.

At the end of this process, pick your favorite solution that passed all of the remaining tests. Just keep in mind that encryption only provides one layer of security and doesn’t provide a magic solution that eliminates all other security risks.

How I Selected This List of Encryption Solutions

To develop this list of 15 solutions, I first researched encryption categories to determine the major business needs and encryption types. Then, based upon product reviews, industry discussions, and industry rankings, the list was narrowed to the top candidates based on tool features, price, prominence, integrations, centralized encryption controls, key management, and other available options.

Encryption is frequently added as features of other tools such as endpoint detection and response. Encryption accelerating hardware can also be added to various computer systems as options to enhance security. However, this article expects potential encryption tool buyers to be focused on standalone solutions instead of features or options. Therefore, I excluded such partial solutions from this list.

Bottom Line: Start with Today’s Requirements, but Look Ahead

Breached data costs so much more to a company when unencrypted. Encrypted breaches protect against regulatory disclosure requirements, lawsuits, regulatory fines, and more. Put encryption in place now to protect against a breach.

However, future quantum computing advances will break the minimum encryption standards in place today. Today’s safe encrypted data breach may become tomorrow’s exposed data. Start investigating opportunities to apply more advanced encryption, multiple layers of encryption, or other additional safeguards today to defend against future threats.

To deploy effective encryption, consider learning about best practices for strong encryption.

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required