Microsoft's EFS (Encryption File System) has been available since Windows 2000. Although it has lots of critics, EFS really is good encryption. Unfortunately, you can't use it to encrypt the entire disk-only files and folders -- and even then, not system files.

However, the two upper-level enterprise versions of Windows Vista will include a disk-encryption program called BitLocker. BitLocker will encrypt the entire system volume, including system and hibernation files. Users can then tap EFS to protect other volumes or files.

Configurable through group policy, EFS uses 128- and 256-bit AES keys, which can be stored offline or on a motherboard chip called the TPM (Trusted Platform Module). TPM requires a Trusted Computing Group-compliant motherboard, chip set, and BIOS. The recovery password can be saved to a folder, saved to one or several USB keys, or just sent to printer. A domain administrator can also configure group policy to automatically generate recovery passwords and transparently escrow them to Active Directory.

As with EFS and FileVault, the security of the OS still relies on using and securing a strong log-on password. BitLocker can be used in conjunction with a PIN, USB, or smart card multifactor authentication to increase security even more -- no more booting around Windows with a Linux boot disk to steal passwords or data.

Another commercial product I like is GuardianEdge Technologies' Encryption Plus. It does what BitLocker does, including key escrow and group policy management -- although it doesn't use a TPM chip. It can also encrypt data on CD-ROMs, DVDs, and PDAs, all of which should be included in any comprehensive enterprise encryption plan.