Difference between revisions of "Disk encryption"

From ArchWiki
Jump to: navigation, search
(replaced "Yes"/"No" in table cells by colored checkmark/cross UTF8-symbols)
m (improved comparison table formatting)
Line 17: Line 17:
 
===Comparison Table===
 
===Comparison Table===
  
{| class="wikitable" style="text-align:center; vertical-align:top; cell-padding:100px; "
+
{| class="wikitable" style="text-align:center; cell-padding:100px; "
 
|-
 
|-
 
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" |
 
| colspan="3" style="border-left-color:transparent; border-top-color:transparent; text-align:left;" |
Line 26: Line 26:
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | EncFs
 
! scope="col" style="background:#E2E2E2" | EncFs
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent; width:20px" |
 
| style="border-left-color:transparent; border-bottom-color:transparent; width:20px" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
type  
 
type  
 
| colspan="3" | block device encryption
 
| colspan="3" | block device encryption
 
| colspan="2" | stacked filesystem encryption
 
| colspan="2" | stacked filesystem encryption
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
main selling points
 
main selling points
 
| longest-exiting one; possibly the fastest; works on legacy systems
 
| longest-exiting one; possibly the fastest; works on legacy systems
Line 41: Line 41:
 
| slightly faster than EncFS; individual encrypted files portable between systems
 
| slightly faster than EncFS; individual encrypted files portable between systems
 
| easiest one to use; supports non-root administration
 
| easiest one to use; supports non-root administration
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
availability in Arch Linux
 
availability in Arch Linux
 
| must manually compile custom kernel
 
| must manually compile custom kernel
Line 50: Line 50:
 
| ''kernel module:'' already shipped with default kernel; ''tools:'' {{AUR|ecryptfs-utils}} [AUR]
 
| ''kernel module:'' already shipped with default kernel; ''tools:'' {{AUR|ecryptfs-utils}} [AUR]
 
| {{Pkg|encfs}} [community]
 
| {{Pkg|encfs}} [community]
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
license
 
license
 
| GPL
 
| GPL
Line 70: Line 70:
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | EncFs
 
! scope="col" style="background:#E2E2E2" | EncFs
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
encrypts...
 
encrypts...
 
| colspan="3" | whole block device
 
| colspan="3" | whole block device
 
| colspan="2" | files
 
| colspan="2" | files
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
container for encrypted data may be...
 
container for encrypted data may be...
 
| colspan="3" |
 
| colspan="3" |
Line 85: Line 85:
 
| colspan="2" |
 
| colspan="2" |
 
* a directory in an existing file system
 
* a directory in an existing file system
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
relation to filesystem
 
relation to filesystem
 
| colspan="3" | operates below the filesystem layer - doesn't care whether the content of the encrypted block device is a filesystem, a partition table, a LVM setup, or anything else
 
| colspan="3" | operates below the filesystem layer - doesn't care whether the content of the encrypted block device is a filesystem, a partition table, a LVM setup, or anything else
 
| colspan="2" | adds an additional layer to an existing filesystem, to automatically encrypt/decrypt files whenever they're written/read
 
| colspan="2" | adds an additional layer to an existing filesystem, to automatically encrypt/decrypt files whenever they're written/read
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
encryption implemented in...
 
encryption implemented in...
 
| kernelspace
 
| kernelspace
Line 100: Line 100:
 
| kernelspace
 
| kernelspace
 
| userspace<br>''(using FUSE)''
 
| userspace<br>''(using FUSE)''
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
cryptographic metadata stored in...
 
cryptographic metadata stored in...
 
| ?
 
| ?
Line 109: Line 109:
 
| header  of  each encrypted file
 
| header  of  each encrypted file
 
| control file at the top level of each EncFs container
 
| control file at the top level of each EncFs container
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
wrapped encryption key stored in...
 
wrapped encryption key stored in...
 
| ?
 
| ?
Line 129: Line 129:
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | EncFs
 
! scope="col" style="background:#E2E2E2" | EncFs
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
file metadata (number of files, dir structure, file sizes, permissions, mtimes, etc.) is encrypted
 
file metadata (number of files, dir structure, file sizes, permissions, mtimes, etc.) is encrypted
 
| colspan="3" | <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| colspan="3" | <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| colspan="2" | <span style="font-size:160%; color:#CF2525;">✖</span><br>''(file and dir names can be encrypted though)''
 
| colspan="2" | <span style="font-size:160%; color:#CF2525;">✖</span><br>''(file and dir names can be encrypted though)''
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
can be used to encrypt whole hard drives (including partition tables)
 
can be used to encrypt whole hard drives (including partition tables)
 
| colspan="3" | <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| colspan="3" | <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| colspan="2" | <span style="font-size:160%; color:#CF2525;">✖</span>
 
| colspan="2" | <span style="font-size:160%; color:#CF2525;">✖</span>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
can be used to encrypt swap space
 
can be used to encrypt swap space
 
| colspan="3" | <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| colspan="3" | <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| colspan="2" | <span style="font-size:160%; color:#CF2525;">✖</span>
 
| colspan="2" | <span style="font-size:160%; color:#CF2525;">✖</span>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
no need to allocate a fixed amount of space in advance for the encrypted data container
 
no need to allocate a fixed amount of space in advance for the encrypted data container
 
| colspan="3" | <span style="font-size:160%; color:#CF2525;">✖</span>
 
| colspan="3" | <span style="font-size:160%; color:#CF2525;">✖</span>
 
| colspan="2" | <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| colspan="2" | <span style="font-size:210%; color:#5F9E23;">✔</span>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
can be used to protect existing filesystems without block device access, e.g. NFS or Samba shares, cloud storage, etc.
 
can be used to protect existing filesystems without block device access, e.g. NFS or Samba shares, cloud storage, etc.
 
| colspan="3" | &nbsp;&nbsp;&nbsp;&nbsp;<span style="font-size:160%; color:#CF2525;">✖</span><sup>[[#Notes_.26_References|[2]]]</sup>
 
| colspan="3" | &nbsp;&nbsp;&nbsp;&nbsp;<span style="font-size:160%; color:#CF2525;">✖</span><sup>[[#Notes_.26_References|[2]]]</sup>
 
| colspan="2" | <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| colspan="2" | <span style="font-size:210%; color:#5F9E23;">✔</span>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
allows offline file-based backups of encrypted files
 
allows offline file-based backups of encrypted files
 
| colspan="3" | <span style="font-size:160%; color:#CF2525;">✖</span>
 
| colspan="3" | <span style="font-size:160%; color:#CF2525;">✖</span>
Line 176: Line 176:
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | EncFs
 
! scope="col" style="background:#E2E2E2" | EncFs
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
support for automounting on login
 
support for automounting on login
 
| ?
 
| ?
Line 185: Line 185:
 
| ?
 
| ?
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
support for automatic unmounting in case of inactivity
 
support for automatic unmounting in case of inactivity
 
| ?
 
| ?
Line 194: Line 194:
 
| ?
 
| ?
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
non-root users can create/destroy containers for encrypted data
 
non-root users can create/destroy containers for encrypted data
 
| <span style="font-size:160%; color:#CF2525;">✖</span>
 
| <span style="font-size:160%; color:#CF2525;">✖</span>
Line 203: Line 203:
 
| <span style="font-size:160%; color:#CF2525;">✖</span>
 
| <span style="font-size:160%; color:#CF2525;">✖</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
provides a GUI
 
provides a GUI
 
| <span style="font-size:160%; color:#CF2525;">✖</span>
 
| <span style="font-size:160%; color:#CF2525;">✖</span>
Line 223: Line 223:
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | EncFs
 
! scope="col" style="background:#E2E2E2" | EncFs
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
supported ciphers
 
supported ciphers
 
| AES
 
| AES
Line 232: Line 232:
 
| AES, blowfish, twofish...
 
| AES, blowfish, twofish...
 
| ?
 
| ?
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
support for salting
 
support for salting
 
| ?
 
| ?
Line 241: Line 241:
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| ?
 
| ?
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
support for chaining multiple ciphers
 
support for chaining multiple ciphers
 
| ?
 
| ?
Line 250: Line 250:
 
| ?
 
| ?
 
| ?
 
| ?
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
support for key-slot diffusion
 
support for key-slot diffusion
 
| ?
 
| ?
Line 259: Line 259:
 
| ?
 
| ?
 
| ?
 
| ?
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
protection against key scrubbing
 
protection against key scrubbing
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
Line 268: Line 268:
 
| ?
 
| ?
 
| ?
 
| ?
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
support for multiple (independently revokable) keys for the same encrypted data
 
support for multiple (independently revokable) keys for the same encrypted data
 
| ?
 
| ?
Line 277: Line 277:
 
| ?
 
| ?
 
| ?
 
| ?
|-
+
|- valign="top"
 
| colspan="3" style="height:20px; border-color:transparent" |
 
| colspan="3" style="height:20px; border-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
 
| colspan="5" style="border-right-color:transparent" |
Line 288: Line 288:
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | EncFs
 
! scope="col" style="background:#E2E2E2" | EncFs
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
multithreading support
 
multithreading support
 
| ?
 
| ?
Line 297: Line 297:
 
| ?
 
| ?
 
| ?
 
| ?
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
hardware-accelerated encryption support
 
hardware-accelerated encryption support
 
| ?
 
| ?
Line 306: Line 306:
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| ?
 
| ?
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
optimised handling of sparse files
 
optimised handling of sparse files
 
| ?
 
| ?
Line 326: Line 326:
 
! scope="col" style="background:#E2E2E2" | Truecrypt
 
! scope="col" style="background:#E2E2E2" | Truecrypt
 
| colspan="2" rowspan="2" style="border-color:transparent" |
 
| colspan="2" rowspan="2" style="border-color:transparent" |
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
support for (manually) resizing the encrypted block device in-place
 
support for (manually) resizing the encrypted block device in-place
 
| ?
 
| ?
Line 342: Line 342:
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | EncFs
 
! scope="col" style="background:#E2E2E2" | EncFs
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="5" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="5" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
supported file systems
 
supported file systems
 
| ext3, ext4, xfs (with caveats), jfs, nfs...
 
| ext3, ext4, xfs (with caveats), jfs, nfs...
 
| ?
 
| ?
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="5" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="5" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
ability to encrypt filenames
 
ability to encrypt filenames
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="5" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="5" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
ability to ''not'' encrypt filenames
 
ability to ''not'' encrypt filenames
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
 
| <span style="font-size:210%; color:#5F9E23;">✔</span>
Line 371: Line 371:
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | eCryptfs
 
! scope="col" style="background:#E2E2E2" | EncFs
 
! scope="col" style="background:#E2E2E2" | EncFs
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
supported Linux kernel versions
 
supported Linux kernel versions
 
| 2.0 or newer
 
| 2.0 or newer
Line 380: Line 380:
 
| ?
 
| ?
 
| 2.4 or newer
 
| 2.4 or newer
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" rowspan="3" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" | encrypted data can also be accessed from...
+
! scope="row" rowspan="3" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" | encrypted data can also be accessed from...
! scope="row" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" | Windows
+
! scope="row" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" | Windows
 
| <span style="font-size:210%; color:#5F9E23;">✔</span> (with <sup>[[#Notes_.26_References|[3]]]</sup>)
 
| <span style="font-size:210%; color:#5F9E23;">✔</span> (with <sup>[[#Notes_.26_References|[3]]]</sup>)
 
| <span style="font-size:210%; color:#5F9E23;">✔</span> (with <sup>[[#Notes_.26_References|[4]]]</sup>)
 
| <span style="font-size:210%; color:#5F9E23;">✔</span> (with <sup>[[#Notes_.26_References|[4]]]</sup>)
Line 389: Line 389:
 
| ?
 
| ?
 
| ?
 
| ?
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" | Mac OS X
+
! scope="row" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" | Mac OS X
 
| ?
 
| ?
 
| ?
 
| ?
Line 397: Line 397:
 
| ?
 
| ?
 
| &nbsp;&nbsp;&nbsp;&nbsp;<span style="font-size:210%; color:#5F9E23;">✔</span><sup>[[#Notes_.26_References|[5]]]</sup>
 
| &nbsp;&nbsp;&nbsp;&nbsp;<span style="font-size:210%; color:#5F9E23;">✔</span><sup>[[#Notes_.26_References|[5]]]</sup>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" | FreeBSD
+
! scope="row" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" | FreeBSD
 
| ?
 
| ?
 
| ?
 
| ?
Line 405: Line 405:
 
| ?
 
| ?
 
| &nbsp;&nbsp;&nbsp;&nbsp;<span style="font-size:210%; color:#5F9E23;">✔</span><sup>[[#Notes_.26_References|[6]]]</sup>
 
| &nbsp;&nbsp;&nbsp;&nbsp;<span style="font-size:210%; color:#5F9E23;">✔</span><sup>[[#Notes_.26_References|[6]]]</sup>
|-
+
|- valign="top"
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
 
| style="border-left-color:transparent; border-bottom-color:transparent" |
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; vertical-align:top; padding:0 6px" |
+
! scope="row" colspan="2" style="text-align:left; font-weight:normal; color:#393939; background:#E2E2E2; padding:0 6px" |
 
used by
 
used by
 
| ?
 
| ?

Revision as of 00:54, 11 November 2011

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Note: This article is a work in progress. It's intended as a proposal for a new article, to be moved into the main wiki namespace after further discussion.


This article discusses common techniques available in Arch Linux for transparently encrypting / decrypting all data that is written to / read from a disk, or a logical part of a disk.

Why Use Encryption?

TODO: Merge intro section from "System Encryption with LUKS" here.

What Methods are Available for Disk Encryption?

TODO

Comparison Table

summary
Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

type

block device encryption stacked filesystem encryption

main selling points

longest-exiting one; possibly the fastest; works on legacy systems de-facto standard for block device encryption on Linux; very flexible very portable, well-polished, self-contained solution slightly faster than EncFS; individual encrypted files portable between systems easiest one to use; supports non-root administration

availability in Arch Linux

must manually compile custom kernel kernel modules: already shipped with default kernel; tools: device-mapper, cryptsetup [core] truecrypt [extra] kernel module: already shipped with default kernel; tools: ecryptfs-utilsAUR [AUR] encfs [community]

license

GPL GPL custom[1] GPL GPL
basic classification
Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

encrypts...

whole block device files

container for encrypted data may be...

  • a disk partition
  • a file acting as a virtual partition
  • a directory in an existing file system

relation to filesystem

operates below the filesystem layer - doesn't care whether the content of the encrypted block device is a filesystem, a partition table, a LVM setup, or anything else adds an additional layer to an existing filesystem, to automatically encrypt/decrypt files whenever they're written/read

encryption implemented in...

kernelspace kernelspace kernelspace kernelspace userspace
(using FUSE)

cryptographic metadata stored in...

 ?  ?  ? header of each encrypted file control file at the top level of each EncFs container

wrapped encryption key stored in...

 ?  ?  ? key file that can be stored anywhere control file at the top level of each EncFs container
practical implications
Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

file metadata (number of files, dir structure, file sizes, permissions, mtimes, etc.) is encrypted


(file and dir names can be encrypted though)

can be used to encrypt whole hard drives (including partition tables)

can be used to encrypt swap space

no need to allocate a fixed amount of space in advance for the encrypted data container

can be used to protect existing filesystems without block device access, e.g. NFS or Samba shares, cloud storage, etc.

    [2]

allows offline file-based backups of encrypted files

usability features
Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

support for automounting on login

 ?  ?  ?  ?

support for automatic unmounting in case of inactivity

 ?  ?  ?  ?

non-root users can create/destroy containers for encrypted data

provides a GUI

security features
Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

supported ciphers

AES  ?  ? AES, blowfish, twofish...  ?

support for salting

 ?
(with LUKS)
 ?

support for chaining multiple ciphers

 ?  ?  ?  ?

support for key-slot diffusion

 ?
(with LUKS)
 ?  ?  ?

protection against key scrubbing

 ?  ?  ?  ?

support for multiple (independently revokable) keys for the same encrypted data

 ?
(with LUKS)
 ?  ?  ?
performance features
Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

multithreading support

 ?  ?  ?

hardware-accelerated encryption support

 ?  ?  ?

optimised handling of sparse files

 ?  ?  ?  ?
block device encryption specific
Loop-AES dm-crypt + LUKS Truecrypt

support for (manually) resizing the encrypted block device in-place

 ?
stacked filesystem encryption specific
eCryptfs EncFs

supported file systems

ext3, ext4, xfs (with caveats), jfs, nfs...  ?

ability to encrypt filenames

ability to not encrypt filenames

compatibility & prevalence
Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs

supported Linux kernel versions

2.0 or newer  ?  ?  ? 2.4 or newer
encrypted data can also be accessed from... Windows (with [3]) (with [4])  ?  ?
Mac OS X  ?  ?  ?     [5]
FreeBSD  ?  ?  ?     [6]

used by

 ?
  • Arch Linux installer (system encryption)
  • Ubuntu alternate installer (system encryption)
 ?
  • Ubuntu installer (home dir encryption)
  • Chromium OS (encryption of cached user data[7])
 ?

Notes & References

  1. ^ see http://www.truecrypt.org/legal/license
  2. ^ well, a single file in those filesystems could be used as a container (virtual loop-back device!) but then one wouldn't actually be using the filesystem (and the features it provides) anymore
  3. ^ CrossCrypt - Open Source AES and TwoFish Linux compatible on the fly encryption for Windows XP and Windows 2000
  4. ^ FreeOTFE - supports Windows 2000 and later (for PC), and Windows Mobile 2003 and later (for PDA)
  5. ^ see EncFs build instructions for Mac
  6. ^ see http://www.freshports.org/sysutils/fusefs-encfs/
  7. ^ see http://www.chromium.org/chromium-os/chromiumos-design-docs/protecting-cached-user-data