Difference between revisions of "User:Larivact/trash/Disk encryption"

From ArchWiki
Jump to: navigation, search
(Comparison table: merge useless 'Implemented in' row with Note)
m (clarify comment)
Line 1: Line 1:
{{Comment|Draft for [[Disk encryption#Comparison table]].}}
+
{{Comment|Experiment page for [[Disk encryption#Comparison table]].}}
  
 
{| class="wikitable left-align-row-headers" style="text-align:center;"
 
{| class="wikitable left-align-row-headers" style="text-align:center;"

Revision as of 18:15, 16 September 2018

Comment: Experiment page for Disk encryption#Comparison table.
Name Encryption type Availability Implementation in GUI Cross-platform Note
Loop-AES block device requires custom kernel kernelspace No No longest-existing one; possibly the fastest; works on legacy systems
dm-crypt block device modules in default kernel

tools: device-mapper, cryptsetup

kernelspace No No de-facto standard for block device encryption on Linux; very flexible
TrueCrypt block device truecrypt kernelspace Yes Yes was well-established before it was abandoned for no apparent reason
VeraCrypt block device veracrypt kernelspace Yes Yes maintained fork of TrueCrypt
eCryptfs stacked filesystem modules in default kernel

tools: ecryptfs-utils

kernelspace No No slightly faster than EncFS; individual encrypted files portable between systems
EncFS stacked filesystem encfs userspace (FUSE) Optional No easiest one to use; supports non-root administration

Comparison table

The column "dm-crypt +/- LUKS" denotes features of dm-crypt for both LUKS ("+") and plain ("-") encryption modes. If a specific feature requires using LUKS, this is indicated by "(with LUKS)". Likewise "(without LUKS)" indicates usage of LUKS is counter-productive to achieve the feature and plain mode should be used.

Summary Loop-AES dm-crypt +/- LUKS TrueCrypt VeraCrypt eCryptfs EncFS
Encryption type block device block device block device block device stacked filesystem stacked filesystem
Note longest-existing one; possibly the fastest; works on legacy systems de-facto standard for block device encryption on Linux; very flexible was well-established before it was abandoned for no apparent reason maintained fork of TrueCrypt slightly faster than EncFS; individual encrypted files portable between systems easiest one to use; supports non-root administration; implemented in userspace (FUSE)
Availability requires custom kernel modules in default kernel

tools: device-mapper, cryptsetup

truecrypt veracrypt modules in default kernel

tools: ecryptfs-utils

encfs
License GPL GPL TrueCrypt License 3.1 Apache License 2.0, parts subject to TrueCrypt License v3.0 GPL GPL
Cryptographic metadata stored in... ? with LUKS: LUKS Header begin/end of (decrypted) device (format)[dead link 2018-07-15] begin/end of (decrypted) device (format spec) header of each encrypted file control file at the top level of each EncFs container
Wrapped encryption key stored in... ? with LUKS: LUKS header begin/end of (decrypted) device (format spec)[dead link 2018-07-15] begin/end of (decrypted) device (format spec) key file that can be stored anywhere key file that can be stored anywhere

[1][2]

Usability features Loop-AES dm-crypt +/- LUKS TrueCrypt VeraCrypt eCryptfs EncFs
Support for automounting on login ?

with systemd and /etc/crypttab

with systemd and /etc/crypttab

Support for automatic unmounting in case of inactivity ? ? ? ? ?
Non-root users can create/destroy containers for encrypted data limited
Provides a GUI

[3][4]

Security features Loop-AES dm-crypt +/- LUKS TrueCrypt VeraCrypt eCryptfs EncFs
Supported ciphers AES AES, Anubis, CAST5/6, Twofish, Serpent, Camellia, Blowfish,… (every cipher the kernel Crypto API offers) AES, Twofish, Serpent AES, Twofish, Serpernt, Camellia, Kuznyechik AES, Blowfish, Twofish... AES, Blowfish, Twofish, and any other ciphers available on the system
Support for salting ?
(with LUKS)
?
Support for cascading multiple ciphers ? Not in one device, but blockdevices can be cascaded

AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent

AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish-AES, Twofish-Serpent

?
Support for key-slot diffusion ?
(with LUKS)
? ? ? ?
Protection against key scrubbing
(without LUKS)
? ? ? ?
Support for multiple (independently revocable) keys for the same encrypted data ?
(with LUKS)
? ? ?
Performance features Loop-AES dm-crypt +/- LUKS TrueCrypt VeraCrypt eCryptfs EncFs
Multithreading support ?
[5]
? ?
Hardware-accelerated encryption support
[6]
Compatibility & prevalence Loop-AES dm-crypt +/- LUKS TrueCrypt VeraCrypt eCryptfs EncFs
Supported Linux kernel versions 2.0 or newer CBC-mode since 2.6.4, ESSIV 2.6.10, LRW 2.6.20, XTS 2.6.24 ? ? ? 2.4 or newer
Encrypted data can also be accessed from Windows
(with CrossCrypt, LibreCrypt)
?
(with FreeOTFE, LibreCrypt)
? ?
[7]
Encrypted data can also be accessed from Mac OS X ? ? ?
[8]
Encrypted data can also be accessed from FreeBSD ? ?

(with VeraCrypt)


?
[9]
Used by ? Debian/Ubuntu installer (system encryption)
Fedora installer
? ? Ubuntu installer (home dir encryption)
Chromium OS (encryption of cached user data [10])
?

  1. ^ well, a single file in those filesystems could be used as a container (virtual loop-back device!) but then one would not actually be using the filesystem (and the features it provides) anymore

Block device encryption specific

Loop-AES dm-crypt +/- LUKS TrueCrypt VeraCrypt
Support for (manually) resizing the encrypted block device in-place ?

Stacked filesystem encryption specific

eCryptfs EncFs
Supported file systems ext3, ext4, xfs (with caveats), jfs, nfs... ext3, ext4, xfs (with caveats), jfs, nfs, cifs...

[11]

Ability to encrypt filenames
Ability to not encrypt filenames
Optimized handling of sparse files