User:Larivact/trash/Disk encryption
< User:Larivact | trash
Name | Encryption type | Availability | Implementation in | GUI | Cross-platform | Note |
---|---|---|---|---|---|---|
Loop-AES | block device | requires custom kernel | kernelspace | No | No | longest-existing one; possibly the fastest; works on legacy systems |
dm-crypt | block device | modules in default kernel
tools: device-mapper, cryptsetup |
kernelspace | No | No | de-facto standard for block device encryption on Linux; very flexible |
TrueCrypt | block device | truecrypt | kernelspace | Yes | Yes | was well-established before it was abandoned for no apparent reason |
VeraCrypt | block device | veracrypt | kernelspace | Yes | Yes | maintained fork of TrueCrypt |
eCryptfs | stacked filesystem | modules in default kernel
tools: ecryptfs-utils |
kernelspace | No | No | slightly faster than EncFS; individual encrypted files portable between systems |
EncFS | stacked filesystem | encfs | userspace (FUSE) | Optional | No | easiest one to use; supports non-root administration |
Comparison table
The column "dm-crypt +/- LUKS" denotes features of dm-crypt for both LUKS ("+") and plain ("-") encryption modes. If a specific feature requires using LUKS, this is indicated by "(with LUKS)". Likewise "(without LUKS)" indicates usage of LUKS is counter-productive to achieve the feature and plain mode should be used.
Summary | Loop-AES | dm-crypt +/- LUKS | TrueCrypt | VeraCrypt | eCryptfs | EncFS |
---|---|---|---|---|---|---|
Encryption type | block device | block device | block device | block device | stacked filesystem | stacked filesystem |
Note | longest-existing one; possibly the fastest; works on legacy systems | de-facto standard for block device encryption on Linux; very flexible | was well-established before it was abandoned for no apparent reason | maintained fork of TrueCrypt | slightly faster than EncFS; individual encrypted files portable between systems | easiest one to use; supports non-root administration; implemented in userspace (FUSE) |
Availability | requires custom kernel | modules in default kernel
tools: device-mapper, cryptsetup |
truecrypt | veracrypt | modules in default kernel
tools: ecryptfs-utils |
encfs |
License | GPL | GPL | TrueCrypt License 3.1 | Apache License 2.0, parts subject to TrueCrypt License v3.0 | GPL | GPL |
Cryptographic metadata stored in... | ? | with LUKS: LUKS Header | begin/end of (decrypted) device (format spec) | header of each encrypted file | control file at the top level of each EncFs container | |
Wrapped encryption key stored in... | ? | with LUKS: LUKS header | begin/end of (decrypted) device (format spec) | key file that can be stored anywhere | key file that can be stored anywhere | |
Usability features | Loop-AES | dm-crypt +/- LUKS | TrueCrypt | VeraCrypt | eCryptfs | EncFs |
Support for automounting on login | ? | ✔ | ✔ | ✔ | ✔ | ✔ |
Support for automatic unmounting in case of inactivity | ? | ? | ? | ? | ? | ✔ |
Non-root users can create/destroy containers for encrypted data | ✖ | ✖ | ✖ | ✖ | limited | ✔ |
Provides a GUI | ✖ | ✖ | ✔ | ✔ | ✖ | ✔ |
Security features | Loop-AES | dm-crypt +/- LUKS | TrueCrypt | VeraCrypt | eCryptfs | EncFs |
Supported ciphers | AES | AES, Anubis, CAST5/6, Twofish, Serpent, Camellia, Blowfish,… (every cipher the kernel Crypto API offers) | AES, Twofish, Serpent | AES, Twofish, Serpernt, Camellia, Kuznyechik | AES, Blowfish, Twofish... | AES, Blowfish, Twofish, and any other ciphers available on the system |
Support for salting | ? | ✔ (with LUKS) |
✔ | ✔ | ✔ | ? |
Support for cascading multiple ciphers | ? | Not in one device, but blockdevices can be cascaded | ✔
AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent |
✔
AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent |
? | ✖ |
Support for key-slot diffusion | ? | ✔ (with LUKS) |
? | ? | ? | ? |
Protection against key scrubbing | ✔ | ✔ (without LUKS) |
? | ? | ? | ? |
Support for multiple (independently revocable) keys for the same encrypted data | ? | ✔ (with LUKS) |
? | ? | ? | ✖ |
Performance features | Loop-AES | dm-crypt +/- LUKS | TrueCrypt | VeraCrypt | eCryptfs | EncFs |
Multithreading support | ? | ✔ [5] |
✔ | ✔ | ? | ? |
Hardware-accelerated encryption support | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ [6] |
Compatibility & prevalence | Loop-AES | dm-crypt +/- LUKS | TrueCrypt | VeraCrypt | eCryptfs | EncFs |
Supported Linux kernel versions | 2.0 or newer | CBC-mode since 2.6.4, ESSIV 2.6.10, LRW 2.6.20, XTS 2.6.24 | ? | ? | ? | 2.4 or newer |
Encrypted data can also be accessed from Windows | ✔ (with CrossCrypt, LibreCrypt) |
? (with FreeOTFE, LibreCrypt) |
✔ | ✔ | ? | ? [7] |
Encrypted data can also be accessed from Mac OS X | ? | ? | ✔ | ✔ | ? | ✔ [8] |
Encrypted data can also be accessed from FreeBSD | ? | ? | ✔
(with VeraCrypt) |
✔ |
? | ✔ [9] |
Used by | ? | Debian/Ubuntu installer (system encryption) Fedora installer |
? | ? | Ubuntu installer (home dir encryption) Chromium OS (encryption of cached user data [10]) |
? |
- ^ well, a single file in those filesystems could be used as a container (virtual loop-back device!) but then one would not actually be using the filesystem (and the features it provides) anymore
Block device encryption specific
Loop-AES | dm-crypt +/- LUKS | TrueCrypt | VeraCrypt | |
---|---|---|---|---|
Support for (manually) resizing the encrypted block device in-place | ? | ✔ | ✖ | ✖ |
Stacked filesystem encryption specific
eCryptfs | EncFs | |
---|---|---|
Supported file systems | ext3, ext4, xfs (with caveats), jfs, nfs... | ext3, ext4, xfs (with caveats), jfs, nfs, cifs... |
Ability to encrypt filenames | ✔ | ✔ |
Ability to not encrypt filenames | ✔ | ✔ |
Optimized handling of sparse files | ✖ | ✔ |