User:Svito/Disk encryption

From ArchWiki
Jump to navigation Jump to search
Comment: Experiment page for Disk encryption#Comparison table.

Comparison tables

Name Encryption type Availability in Arch Implementation GUI Cross‑platform Note
Loop-AES block device requires custom kernel kernel No No longest-existing one; possibly the fastest; works on legacy systems
dm-crypt block device modules in default kernel,
device-mapper, cryptsetup
kernel No No de-facto standard for block device encryption on Linux; very flexible
TrueCrypt block device truecrypt kernel Yes Yes was well-established before it was abandoned for no apparent reason
VeraCrypt block device veracrypt kernel Yes Yes maintained fork of TrueCrypt
eCryptfs stacked filesystem modules in default kernel,
ecryptfs-utils
kernel No No slightly faster than EncFS; individual encrypted files portable between systems
EncFS stacked filesystem encfs userspace (FUSE) Optional No easiest one to use; supports non-root administration

The row "dm-crypt +/- LUKS" denotes features of dm-crypt for both LUKS ("+") and plain ("-") encryption modes. If a specific feature requires using LUKS, this is indicated by "(with LUKS)". Likewise "(without LUKS)" indicates usage of LUKS is counter-productive to achieve the feature and plain mode should be used.

Storage location

Name Cryptographic metadata Wrapped encryption key
Loop-AES ? ?
dm-crypt +/- LUKS with LUKS: LUKS Header with LUKS: LUKS header
TrueCrypt begin/end of (decrypted) device begin/end of (decrypted) device
VeraCrypt begin/end of (decrypted) device (format spec) begin/end of (decrypted) device (format spec)
eCryptfs header of each encrypted file key file that can be stored anywhere
EncFs control file at the top level of each EncFs container key file that can be stored anywhere [1][2]

Usability features

Name Automounting on login Unmounting on inactivity Unprivileged containers
Loop-AES ? ? No
dm-crypt +/- LUKS Yes ? No
TrueCrypt with systemd and /etc/crypttab ? No
VeraCrypt with systemd and /etc/crypttab ? No
eCryptfs Yes ? Limited
EncFs Yes Yes Yes

Security features

Name Ciphers Salting Cascading multiple ciphers Key-slot diffusion Key scrubbing protection Multiple independently revocable keys
Loop-AES AES ? ? ? Yes ?
dm-crypt +/- LUKS AES, Anubis, CAST5/6, Twofish, Serpent, Camellia, Blowfish,… (every cipher the kernel Crypto API offers) with LUKS Not in one device, but blockdevices can be cascaded with LUKS without LUKS with LUKS
TrueCrypt AES, Twofish, Serpent Yes AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent ? ? ?
VeraCrypt AES, Twofish, Serpernt, Camellia, Kuznyechik Yes AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent ? ? ?
eCryptfs AES, Blowfish, Twofish... Yes ? ? ? ?
EncFs AES, Blowfish, Twofish, and any other ciphers available on the system ? No ? ? No

Performance features

Name Multi-threaded Hardware accelerated
Loop-AES ? Yes
dm-crypt +/- LUKS Yes [3] Yes
TrueCrypt Yes Yes
VeraCrypt Yes Yes
eCryptfs ? Yes
EncFs ? Yes [4]

Compatibility and prevalence

Name Linux version Windows accessible Mac OS accessible FreeBSD accessible Usage by other distributions
Loop-AES 2.0 or newer via CrossCrypt, LibreCrypt ? ? ?
dm-crypt +/- LUKS CBC-mode since 2.6.4, ESSIV 2.6.10, LRW 2.6.20, XTS 2.6.24 via FreeOTFE, LibreCrypt ? ? Debian/Ubuntu installer (system encryption), Fedora installer
TrueCrypt ? Yes Yes via VeraCrypt ?
VeraCrypt ? Yes Yes Yes ?
eCryptfs ? ? ? ? Ubuntu installer (home dir encryption), Chromium OS (encryption of cached user data [5])
EncFs 2.4 or newer ? [6] Yes [7] Yes [8] ?

Block device encryption specific

Name In-place device resizing
Loop-AES ?
dm-crypt +/- LUKS Yes
TrueCrypt No
VeraCrypt No

Stacked filesystem encryption specific

Name Encrypted filenames Non-encrypted filenames Optimized sparse files Supported file systems
eCryptfs Yes Yes No ext3, ext4, xfs (with caveats), jfs, nfs...
EncFs Yes Yes Yes ext3, ext4, xfs (with caveats), jfs, nfs, cifs...[9]