Disk encryption

From ArchWiki
Revision as of 02:01, 10 November 2011 by Sas (Talk | contribs) (Created page with "Category:Security (English) Category:File systems (English) {{i18n|Disk Encryption}} {{Box RED|Note:|This article is a work in progress. It's intended as a proposal for a...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Note: This article is a work in progress. It's intended as a proposal for a new article, to be moved into the main wiki namespace after further discussion.


This article discusses common techniques available in Arch Linux for transparently encrypting / decrypting all data that is written to / read from a disk, or a logical part of a disk.

Why Use Encryption?

TODO: Merge intro section from "System Encryption with LUKS" here.

What Methods are Available for Disk Encryption?

TODO

Comparison Table

summary: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs
type block device encryption stacked filesystem encryption
main selling points longest-exiting one; possibly the fastest; runs on legacy systems de-facto standard for full disk encryption on Linux; very flexible very portable, well-polished, self-contained solution slightly faster than EncFS; individual encrypted files portable between systems easiest one to use; allows non-root administration
availability in Arch Linux must manually compile custom kernel kernel modules: already shipped with default kernel; tools: device-mapper, cryptsetup [core] truecrypt [extra] kernel module: already shipped with default kernel; tools: ecryptfs-utilsAUR [AUR] encfs [community]
license GPL GPL custom GPL GPL
basic classification: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs
encrypts... whole block device files
container for encrypted data may be...
  • a disk partition
  • a file acting as a virtual partition
a directory in an existing file system
relation to filesystem operates below the filesystem layer - doesn't care whether the content of the encrypted block device is a filesystem, an LVM setup, or whatever adds an additional layer to an existing filesystem, to automatically decrypt/encrypt files whenever they're read/written
encryption implemented in... kernelspace kernelspace kernelspace kernelspace userspace
(using FUSE)
cryptographic metadata stored in...  ?  ?  ? header of each encrypted file control file at the top level of each EncFs container
wrapped encryption key stored in...  ?  ?  ? key file that can be stored anywhere control file at the top level of each EncFs container
practical implications of the above: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs
file metadata (number of files, dir structure, file sizes, permissions, mtimes, etc.) is encrypted Yes No
(file and dir names can be encrypted though)
can be used to encrypt whole hard drives (including partition tables) Yes No
can be used to encrypt swap space Yes No
no need to allocate a fixed amount of space in advance for the encrypted data container No Yes
can be used to protect existing filesystems without block device access, e.g. NFS or Samba shares, cloud storage, etc. No Yes
allows offline file-based backups of encrypted files No Yes
usability features: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs
support for automounting on login  ?  ?  ?  ? Yes
support for automatic unmounting in case of inactivity  ?  ?  ?  ? Yes
non-root users can set up / remove containers for encrypted data No No No No Yes
provides a GUI No No Yes No No
security features: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs
supported ciphers AES  ?  ?  ?  ?
support for salting  ? Yes Yes * Yes
(mandatory)
 ?
support for chaining multiple ciphers  ?  ? Yes  ?  ?
support for key-slot diffusion  ? Yes *  ?  ?  ?
protection against key scrubbing Yes  ?  ?  ?  ?
support for multiple (independently revokable) keys for the same encrypted data  ? Yes  ?  ?  ?
performance features: Loop-AES dm-crypt + LUKS Truecrypt eCryptfs EncFs