Smartkeys replace both passphrase- and certificate-based encryption, and makes PK Protect unique. A Smartkey is a collection of encryption keys tied to an access control list (ACL). The ACL defines who can decrypt the data contained in an archive.
In addition to Smartkeys, you can open and decrypt any files using the OpenPGP (RFC 4880) standard. Create OpenPGP-based archives and use its encryption on any file (not just ZIP archives). Strong encryption can be done with a passphrase (symmetric key), a public/private key pair (asymmetric key) or both. When you encrypt using a public/private key pair, only the owner of the private key—called a recipient—can decrypt. Using both a passphrase and recipient certificates widens the number of people who can open the encrypted file, both those on the recipient list with the proper private key and anyone with the passphrase.
With passphrase-based encryption, the same passphrase is used to encrypt and to decrypt, and anyone who has the passphrase can decrypt. A passphrase is just a password. It is called a passphrase in the program to emphasize that these passwords can contain spaces and other non-alphanumeric symbols.
With certificate-based encryption, a certificate's public key is used to encrypt, and the certificate's private key is used to decrypt. The public and private keys are a pair of numbers associated with a digital certificate that together function like a very long, highly random passphrase.
The public key can be distributed to anybody who may want to use it to encrypt for the certificate's owner or to authenticate his digital signature. The private key, on the other hand, is never shared. The owner of the certificate uses the private key to attach his digital signature and to decrypt files encrypted specifically for him with his public key.
The advantage of certificate-based encryption is that you can encrypt for just the people you want to see your files. Only these people, whose certificates you use to encrypt, can decrypt the files.
The list of people for whom you encrypt using certificates is called a recipient list. The term is also used for the list of certificates.
Windows manages certificates and their keys for you. When a recipient runs PK Protect to extract files encrypted using the recipient's certificate, PK Protect finds and applies the certificate's private key to decrypt the files.
Before you can do certificate-based encryption, you must have access, for each intended recipient, to a copy of a digital certificate containing the public key.