Difference between revisions of "Disk encryption"

From ArchWiki
Jump to: navigation, search
m (Created page with "Category:Security (English) Category:File systems (English) {{i18n|Disk Encryption}} {{Box RED|Note:|This article is a work in progress. It's intended as a proposal for a...")
 
(improved and extended comparison table)
Line 17: Line 17:
 
==Comparison Table==
 
==Comparison Table==
  
{| class="wikitable" style="text-align:center; cell-padding:100px; "
+
{| class="wikitable" style="text-align:center; vertical-align:top; cell-padding:100px; "
 
|-
 
|-
| colspan="2" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''summary:'''''
+
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''summary:'''''
! scope="col" | [[#loop-aes|Loop-AES]]
+
! scope="col" style="background:#E2E2E2" | Loop-AES
! scope="col" | [[#luks|dm-crypt + LUKS]]
+
! scope="col" style="background:#E2E2E2" | dm-crypt + LUKS
! scope="col" | [[#truecrypt|Truecrypt]]
+
! scope="col" style="background:#E2E2E2" | Truecrypt
! scope="col" | [[#ecryptfs|eCryptfs]]
+
! scope="col" style="background:#E2E2E2" | eCryptfs
! scope="col" | [[#encfs|EncFs]]
+
! scope="col" style="background:#E2E2E2" | EncFs
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent; width:20px" |
 
| style="border-left-color:transparent; border-bottom-color:transparent; width:20px" |
! scope="row" style="text-align:left" | type  
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
type  
 
| colspan="3" | block device encryption
 
| colspan="3" | block device encryption
 
| colspan="2" | stacked filesystem encryption
 
| colspan="2" | stacked filesystem encryption
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | main selling points
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
| longest-exiting one; possibly the fastest; runs on legacy systems
+
main selling points
| de-facto standard for full disk encryption on Linux; very flexible
+
| longest-exiting one; possibly the fastest; works on legacy systems
 +
| de-facto standard for block device encryption on Linux; very flexible
 
| very portable, well-polished, self-contained solution
 
| very portable, well-polished, self-contained solution
 
| slightly faster than EncFS; individual encrypted files portable between systems
 
| slightly faster than EncFS; individual encrypted files portable between systems
| easiest one to use; allows non-root administration
+
| easiest one to use; supports non-root administration
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | availability in Arch Linux
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
availability in Arch Linux
 
| must manually compile custom kernel
 
| must manually compile custom kernel
 
| ''kernel modules:'' already shipped with default kernel; ''tools:'' {{Pkg|device-mapper}}, {{Pkg|cryptsetup}} [core]
 
| ''kernel modules:'' already shipped with default kernel; ''tools:'' {{Pkg|device-mapper}}, {{Pkg|cryptsetup}} [core]
Line 48: Line 51:
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | license
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
license
 
| GPL
 
| GPL
 
| GPL
 
| GPL
Line 55: Line 59:
 
| GPL
 
| GPL
 
|-
 
|-
| colspan="2" style="height:30px; border-color:transparent" |
+
| colspan="3" style="height:30px; border-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
|-
 
|-
| colspan="2" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''basic classification:'''''
+
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''basic classification:'''''
! scope="col" | Loop-AES
+
! scope="col" style="background:#E2E2E2" | Loop-AES
! scope="col" | dm-crypt + LUKS
+
! scope="col" style="background:#E2E2E2" | dm-crypt + LUKS
! scope="col" | Truecrypt
+
! scope="col" style="background:#E2E2E2" | Truecrypt
! scope="col" | eCryptfs
+
! scope="col" style="background:#E2E2E2" | eCryptfs
! scope="col" | EncFs
+
! scope="col" style="background:#E2E2E2" | EncFs
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | encrypts...
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
encrypts...
 
| colspan="3" | whole block device
 
| colspan="3" | whole block device
 
| colspan="2" | files
 
| colspan="2" | files
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | container for encrypted data may be...
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
container for encrypted data may be...
 
| colspan="3" |
 
| colspan="3" |
 
* a disk partition
 
* a disk partition
 
* a file acting as a virtual partition
 
* a file acting as a virtual partition
| colspan="2" | a directory in an existing file system
+
| colspan="2" |
 +
* a directory in an existing file system
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | relation to filesystem
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
| colspan="3" | operates below the filesystem layer - doesn't care whether the content of the encrypted block device is a filesystem, an LVM setup, or whatever
+
relation to filesystem
| colspan="2" | adds an additional layer to an existing filesystem, to automatically decrypt/encrypt files whenever they're read/written
+
| colspan="3" | operates below the filesystem layer - doesn't care whether the content of the encrypted block device is a filesystem, a partition table, a LVM setup, or anything else
 +
| colspan="2" | adds an additional layer to an existing filesystem, to automatically encrypt/decrypt files whenever they're written/read
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | encryption implemented in...
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
encryption implemented in...
 
| kernelspace
 
| kernelspace
 
| kernelspace
 
| kernelspace
Line 91: Line 100:
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | cryptographic metadata stored in...
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
cryptographic metadata stored in...
 
| ?
 
| ?
 
| ?
 
| ?
Line 99: Line 109:
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | wrapped encryption key stored in...
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
wrapped encryption key stored in...
 
| ?
 
| ?
 
| ?
 
| ?
Line 106: Line 117:
 
| control file at the top level of each EncFs container
 
| control file at the top level of each EncFs container
 
|-
 
|-
| colspan="2" style="height:30px; border-color:transparent" |
+
| colspan="3" style="height:30px; border-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
|-
 
|-
| colspan="2" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''practical implications of the above:'''''
+
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''practical implications of the above:'''''
! scope="col" | Loop-AES
+
! scope="col" style="background:#E2E2E2" | Loop-AES
! scope="col" | dm-crypt + LUKS
+
! scope="col" style="background:#E2E2E2" | dm-crypt + LUKS
! scope="col" | Truecrypt
+
! scope="col" style="background:#E2E2E2" | Truecrypt
! scope="col" | eCryptfs
+
! scope="col" style="background:#E2E2E2" | eCryptfs
! scope="col" | EncFs
+
! scope="col" style="background:#E2E2E2" | EncFs
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | file metadata (number of files, dir structure, file sizes, permissions, mtimes, etc.) is encrypted
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
file metadata (number of files, dir structure, file sizes, permissions, mtimes, etc.) is encrypted
 
| colspan="3" | Yes
 
| colspan="3" | Yes
 
| colspan="2" | No<br>''(file and dir names can be encrypted though)''
 
| colspan="2" | No<br>''(file and dir names can be encrypted though)''
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | can be used to encrypt whole hard drives (including partition tables)
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
can be used to encrypt whole hard drives (including partition tables)
 
| colspan="3" | Yes
 
| colspan="3" | Yes
 
| colspan="2" | No
 
| colspan="2" | No
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | can be used to encrypt swap space
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
can be used to encrypt swap space
 
| colspan="3" | Yes
 
| colspan="3" | Yes
 
| colspan="2" | No
 
| colspan="2" | No
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | no need to allocate a fixed amount of space in advance for the encrypted data container
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
no need to allocate a fixed amount of space in advance for the encrypted data container
 
| colspan="3" | No
 
| colspan="3" | No
 
| colspan="2" | Yes
 
| colspan="2" | Yes
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | can be used to protect existing filesystems without block device access, e.g. NFS or Samba shares, cloud storage, etc.
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
can be used to protect existing filesystems without block device access, e.g. NFS or Samba shares, cloud storage, etc.
 
| colspan="3" | No
 
| colspan="3" | No
 
| colspan="2" | Yes
 
| colspan="2" | Yes
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | allows offline file-based backups of encrypted files
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
allows offline file-based backups of encrypted files
 
| colspan="3" | No
 
| colspan="3" | No
 
| colspan="2" | Yes
 
| colspan="2" | Yes
 
|-
 
|-
| colspan="2" style="height:30px; border-color:transparent" |
+
| colspan="3" style="height:30px; border-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
|-
 
|-
| colspan="2" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''usability features:'''''
+
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''usability features:'''''
! scope="col" | Loop-AES
+
! scope="col" style="background:#E2E2E2" | Loop-AES
! scope="col" | dm-crypt + LUKS
+
! scope="col" style="background:#E2E2E2" | dm-crypt + LUKS
! scope="col" | Truecrypt
+
! scope="col" style="background:#E2E2E2" | Truecrypt
! scope="col" | eCryptfs
+
! scope="col" style="background:#E2E2E2" | eCryptfs
! scope="col" | EncFs
+
! scope="col" style="background:#E2E2E2" | EncFs
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | support for automounting on login
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
support for automounting on login
 
| ?
 
| ?
 
| ?
 
| ?
Line 165: Line 183:
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | support for automatic unmounting in case of inactivity
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
support for automatic unmounting in case of inactivity
 
| ?
 
| ?
 
| ?
 
| ?
Line 173: Line 192:
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | non-root users can set up / remove containers for encrypted data
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
non-root users can create/destroy containers for encrypted data
 
| No
 
| No
 
| No
 
| No
Line 181: Line 201:
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | provides a GUI
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
provides a GUI
 
| No
 
| No
 
| No
 
| No
Line 188: Line 209:
 
| No
 
| No
 
|-
 
|-
| colspan="2" style="height:30px; border-color:transparent" |
+
| colspan="3" style="height:30px; border-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
|-
 
|-
| colspan="2" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''security features:'''''
+
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''security features:'''''
! scope="col" | Loop-AES
+
! scope="col" style="background:#E2E2E2" | Loop-AES
! scope="col" | dm-crypt + LUKS
+
! scope="col" style="background:#E2E2E2" | dm-crypt + LUKS
! scope="col" | Truecrypt
+
! scope="col" style="background:#E2E2E2" | Truecrypt
! scope="col" | eCryptfs
+
! scope="col" style="background:#E2E2E2" | eCryptfs
! scope="col" | EncFs
+
! scope="col" style="background:#E2E2E2" | EncFs
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | supported ciphers
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
supported ciphers
 
| AES
 
| AES
 
| ?
 
| ?
 
| ?
 
| ?
| ?
+
| AES, blowfish, twofish...
 
| ?
 
| ?
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | support for salting
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
support for salting
 
| ?
 
| ?
 +
| Yes<br>(with LUKS)
 
| Yes
 
| Yes
| Yes *
 
 
| Yes<br>(mandatory)
 
| Yes<br>(mandatory)
 
| ?
 
| ?
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | support for chaining multiple ciphers
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
support for chaining multiple ciphers
 
| ?
 
| ?
 
| ?
 
| ?
Line 223: Line 247:
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | support for key-slot diffusion
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
support for key-slot diffusion
 
| ?
 
| ?
| Yes *
+
| Yes<br>(with LUKS)
 
| ?
 
| ?
 
| ?
 
| ?
Line 231: Line 256:
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | protection against key scrubbing
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
protection against key scrubbing
 
| Yes
 
| Yes
 
| ?
 
| ?
Line 239: Line 265:
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" | support for multiple (independently revokable) keys for the same encrypted data
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
support for multiple (independently revokable) keys for the same encrypted data
 
| ?
 
| ?
 +
| Yes<br>(with LUKS)
 +
| ?
 +
| ?
 +
| ?
 +
|-
 +
| colspan="3" style="height:30px; border-color:transparent" |
 +
| colspan="5" style="border-right-color:transparent" |
 +
|-
 +
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''performance features:'''''
 +
! scope="col" style="background:#E2E2E2" | Loop-AES
 +
! scope="col" style="background:#E2E2E2" | dm-crypt + LUKS
 +
! scope="col" style="background:#E2E2E2" | Truecrypt
 +
! scope="col" style="background:#E2E2E2" | eCryptfs
 +
! scope="col" style="background:#E2E2E2" | EncFs
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
multithreading support
 +
| ?
 +
| No
 
| Yes
 
| Yes
 
| ?
 
| ?
 
| ?
 
| ?
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
hardware-accelerated encryption support
 
| ?
 
| ?
 +
| ?
 +
| Yes
 +
| Yes
 +
| ?
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
optimised handling of sparse files
 +
| ?
 +
| ?
 +
| ?
 +
| No
 +
| ?
 +
|-
 +
| colspan="3" style="height:30px; border-color:transparent" |
 +
| colspan="3" style="border-right-color:transparent" |
 +
| colspan="2" style="border-color:transparent" |
 +
|-
 +
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''block device encryption specific:'''''
 +
! scope="col" style="background:#E2E2E2" | Loop-AES
 +
! scope="col" style="background:#E2E2E2" | dm-crypt + LUKS
 +
! scope="col" style="background:#E2E2E2" | Truecrypt
 +
| colspan="2" rowspan="2" style="border-color:transparent" |
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
support for (manually) resizing the encrypted block device in-place
 +
| ?
 +
| Yes
 +
| No
 +
|-
 +
| colspan="3" style="height:30px; border-color:transparent" |
 +
| colspan="3" style="border-color:transparent" |
 +
| colspan="2" style="border-right-color:transparent" |
 +
|-
 +
| colspan="3" style="border-left-color:transparent; border-right-color:transparent; text-align:left;" | '''''stacked filesystem encryption specific:'''''
 +
| colspan="3" rowspan="4" style="border-bottom-color:transparent" |
 +
! scope="col" style="background:#E2E2E2" | eCryptfs
 +
! scope="col" style="background:#E2E2E2" | EncFs
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
supported file systems
 +
| ext3, ext4, xfs (with caveats), jfs, nfs...
 +
| ?
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
ability to encrypt filenames
 +
| Yes
 +
| Yes
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
ability to ''not'' encrypt filenames
 +
| Yes
 +
| Yes
 
|-
 
|-
| colspan="2" style="height:30px; border-color:transparent" |
+
| colspan="3" style="height:30px; border-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
|-
 
|-
| colspan="2" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''performance features:'''''
+
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" | '''''compatibility & prevalence:'''''
! scope="col" | Loop-AES
+
! scope="col" style="background:#E2E2E2" | Loop-AES
! scope="col" | dm-crypt + LUKS
+
! scope="col" style="background:#E2E2E2" | dm-crypt + LUKS
! scope="col" | Truecrypt
+
! scope="col" style="background:#E2E2E2" | Truecrypt
! scope="col" | eCryptfs
+
! scope="col" style="background:#E2E2E2" | eCryptfs
! scope="col" | EncFs
+
! scope="col" style="background:#E2E2E2" | EncFs
 
|-
 
|-
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left" |  
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
|  
+
supported Linux kernel versions
|  
+
| 2.0 or newer
|  
+
| ?
|  
+
| ?
 +
| ?
 +
| 2.4 or newer
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" rowspan="3" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" | encrypted data can also be accessed from...
 +
! scope="row" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" | Windows
 +
| Yes*
 +
| Yes*
 +
| Yes
 +
| ?
 +
| ?
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" | Mac OS X
 +
| ?
 +
| ?
 +
| Yes
 +
| ?
 +
| Yes*
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" | FreeBSD
 +
| ?
 +
| ?
 +
| No
 +
| ?
 +
| Yes*
 +
|-
 +
| style="border-left-color:transparent; border-bottom-color:transparent" |
 +
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
 +
used by
 +
| ?
 
|  
 
|  
 +
* ''Arch Linux installer'' (system encryption)
 +
* ''Ubuntu alternate installer'' (system encryption)
 +
| ?
 +
|
 +
* ''Ubuntu installer'' (home dir encryption)
 +
* ''Chromium OS'' (encryption of cached user data)*
 +
| ?
 
|}
 
|}

Revision as of 16:14, 10 November 2011

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Note: This article is a work in progress. It's intended as a proposal for a new article, to be moved into the main wiki namespace after further discussion.


This article discusses common techniques available in Arch Linux for transparently encrypting / decrypting all data that is written to / read from a disk, or a logical part of a disk.

Why Use Encryption?

TODO: Merge intro section from "System Encryption with LUKS" here.

What Methods are Available for Disk Encryption?

TODO

Comparison Table

summary: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

type

block device encryption stacked filesystem encryption

main selling points

longest-exiting one; possibly the fastest; works on legacy systems de-facto standard for block device encryption on Linux; very flexible very portable, well-polished, self-contained solution slightly faster than EncFS; individual encrypted files portable between systems easiest one to use; supports non-root administration

availability in Arch Linux

must manually compile custom kernel kernel modules: already shipped with default kernel; tools: device-mapper, cryptsetup [core] truecrypt [extra] kernel module: already shipped with default kernel; tools: ecryptfs-utilsAUR [AUR] encfs [community]

license

GPL GPL custom GPL GPL
basic classification: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

encrypts...

whole block device files

container for encrypted data may be...

  • a disk partition
  • a file acting as a virtual partition
  • a directory in an existing file system

relation to filesystem

operates below the filesystem layer - doesn't care whether the content of the encrypted block device is a filesystem, a partition table, a LVM setup, or anything else adds an additional layer to an existing filesystem, to automatically encrypt/decrypt files whenever they're written/read

encryption implemented in...

kernelspace kernelspace kernelspace kernelspace userspace
(using FUSE)

cryptographic metadata stored in...

 ?  ?  ? header of each encrypted file control file at the top level of each EncFs container

wrapped encryption key stored in...

 ?  ?  ? key file that can be stored anywhere control file at the top level of each EncFs container
practical implications of the above: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

file metadata (number of files, dir structure, file sizes, permissions, mtimes, etc.) is encrypted

Yes No
(file and dir names can be encrypted though)

can be used to encrypt whole hard drives (including partition tables)

Yes No

can be used to encrypt swap space

Yes No

no need to allocate a fixed amount of space in advance for the encrypted data container

No Yes

can be used to protect existing filesystems without block device access, e.g. NFS or Samba shares, cloud storage, etc.

No Yes

allows offline file-based backups of encrypted files

No Yes
usability features: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

support for automounting on login

 ?  ?  ?  ? Yes

support for automatic unmounting in case of inactivity

 ?  ?  ?  ? Yes

non-root users can create/destroy containers for encrypted data

No No No No Yes

provides a GUI

No No Yes No No
security features: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

supported ciphers

AES  ?  ? AES, blowfish, twofish...  ?

support for salting

 ? Yes
(with LUKS)
Yes Yes
(mandatory)
 ?

support for chaining multiple ciphers

 ?  ? Yes  ?  ?

support for key-slot diffusion

 ? Yes
(with LUKS)
 ?  ?  ?

protection against key scrubbing

Yes  ?  ?  ?  ?

support for multiple (independently revokable) keys for the same encrypted data

 ? Yes
(with LUKS)
 ?  ?  ?
performance features: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

multithreading support

 ? No Yes  ?  ?

hardware-accelerated encryption support

 ?  ? Yes Yes  ?

optimised handling of sparse files

 ?  ?  ? No  ?
block device encryption specific: Loop-AES dm-crypt + LUKS Truecrypt

support for (manually) resizing the encrypted block device in-place

 ? Yes No
stacked filesystem encryption specific: eCryptfs EncFs

supported file systems

ext3, ext4, xfs (with caveats), jfs, nfs...  ?

ability to encrypt filenames

Yes Yes

ability to not encrypt filenames

Yes Yes
compatibility & prevalence: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

supported Linux kernel versions

2.0 or newer  ?  ?  ? 2.4 or newer
encrypted data can also be accessed from... Windows Yes* Yes* Yes  ?  ?
Mac OS X  ?  ? Yes  ? Yes*
FreeBSD  ?  ? No  ? Yes*

used by

 ?
  • Arch Linux installer (system encryption)
  • Ubuntu alternate installer (system encryption)
 ?
  • Ubuntu installer (home dir encryption)
  • Chromium OS (encryption of cached user data)*
 ?