Forgot your password?
typodupeerror
Encryption Security Linux

Five of the Best Free Linux Disk Encryption Tools 135

Posted by Roblimo
from the some-things-are-best-kept-out-of-public-view dept.
An anonymous reader writes "Disk encryption uses software to encrypt the entire hard disk. The onus is therefore not on the user to determine what data should be encrypted, or to remember to manually encrypt files. By encrypting the entire disk, temporary files, which may reveal important confidential data, are also protected. Security is enhanced further when disk encryption is combined with filesystem-level encryption. To provide an insight into the open source software that is available, we have compiled a list of five notable disk encryption tools. Hopefully, there will be something of interest here for anyone who wants easy-to-use data encryption and security."
This discussion has been archived. No new comments can be posted.

Five of the Best Free Linux Disk Encryption Tools

Comments Filter:
  • Link? List? (Score:3, Informative)

    by Goose In Orbit (199293) on Saturday April 09, 2011 @06:05PM (#35770242)

    Or a linked list even?

    • by blacktulip (1980426) on Saturday April 09, 2011 @06:08PM (#35770260)
      They encrypted themselves so you can not see them.
    • Re:Link? List? (Score:5, Informative)

      by ColdWetDog (752185) on Saturday April 09, 2011 @06:08PM (#35770268) Homepage
      Here [linuxlinks.com]. Not so hard, but bog - can't the submitter figure that out? Slow down, guys, nobody is gonna scoop you on this stuff.
      • by Anonymous Coward

        Can't the editor, "Roblimo," proofread the submission? Isn't that practically their entire function?

        • Re:Link? List? (Score:5, Interesting)

          by causality (777677) on Saturday April 09, 2011 @07:13PM (#35770674)

          Can't the editor, "Roblimo," proofread the submission? Isn't that practically their entire function?

          Can they? Yes. Do they? No. They don't even run basic spell-checkers as evidenced by multiple finalized submissions. I'd personally be ashamed to put my name to much of the work they produce. If they worked in the other 99.99999% of job positions bearing the title "editor" they would be fired due to poor job performance. In this shitty job market I imagine there are many thousands of people who would be happy to do better.

          I don't get to slack like that in my job. If the "editors" here started acting like they were semi-worthy of the title I would seriously consider a paid subscription. Note, I don't expect perfection or anything like that. I just want them to at least try.

          They should stop calling themselves "editors". Another title like perhaps "reposters" would be more appropriate and would remove the expectation that they act like, well, editors.

          I notice that any post pointing out that the ad-laden blog they chose to link in the summary is one of the worst and least-direct (second-hand or third-hand) sources available for the story, or pointing out that (particularly for book reviews) the story itself is likely a Slashvertisement, well those get very quickly modded to oblivion. And I do mean *quickly*. I wouldn't notice most of them at all except that I browse at -1.

          While I cannot prove that it's solely the editors doing that, it is known that editors have infinite modpoints. So I consider it quite plausible, especially considering that I can't be the only user who considers it useful information when someone points out what may be an undisclosed marketing motive. I tend to mod those "Informative" myself so long as they are thoughtful and can back up what they say. I have seen more unlikely things happen, I admit, but I have a hard time imagining that the majority of moderators find such information so objectionable.

          • by c6gunner (950153)

            They should stop calling themselves "editors". Another title like perhaps "reposters" would be more appropriate and would remove the expectation that they act like, well, editors.

            Even "reporters" gives them too much credit. I think "copy-and-pasters" would be much more accurate.

          • by Thing 1 (178996)
            The reality is that controversy sells ad impressions.
        • by Roblimo (357)

          The link works for me in both Chrome and Firefox. I don't have Explorer handy, so I can't test it with that browser.

            I'm sorry you're having problems, but I don't see anything wrong.

          And yes, I proofread everything and check all links.

          • by Fwipp (1473271)

            You must have fixed it, because when it first went up there was no link.

            • by Roblimo (357)

              Nope. Didn't touch a thing. But there's no point in arguing. The backend was doing some strange things earlier, but not *that* strange. Another mystery of the Internet.

      • Re:Link? List? (Score:5, Insightful)

        by CyberK (1191465) on Saturday April 09, 2011 @06:31PM (#35770418)
        The submitter had the link (check Firehose), but it seems that the edititors deemd the submission to be too long and chopped it off. After all, this is Slashdot and nobody RTFAs anyway.
      • The 'submitter' has been updated to reduce the chances of a reoccurrence, though it still might happen.

  • by Anonymous Coward on Saturday April 09, 2011 @06:08PM (#35770264)

    Today we bring you the best of slashdot editing. We cut out all the hard parts for you, like links, and real information.

    FYI: http://www.linuxlinks.com/article/2011040308270275/DiskEncryption.html

  • XKCD (Score:5, Funny)

    by Anonymous Coward on Saturday April 09, 2011 @06:17PM (#35770326)

    http://xkcd.com/538/

    • by waveclaw (43274)

      That xkcd always amused me.

      The only way to really delete something is to encrypt it. Then forget the key.

      Going to burn through a few wrenches before you find that out. Too bad most people only have two knees.

      Relevant to the topic? I have about a dozen CDs of 'encrypted' Linux files that can no longer be opened. Apparently the old cryptoloop encryption implementation on my particular distro was somewhat buggy. The encrypted file system that was contained in those files could only be opened on the

    • by Anonymous Coward

      Sure that is funny, but that comic isn't as true as you think. The only people who will beat you until you give up the key are those that a) can get away with it, b) know that you have what they want. Criminals who steal hard drives, etc. aren't going to go breaking legs for the encryption keys because they don't know whats on the disk and would likely goto jail for it. Even government agents would have to know that you have what they're looking for, and in the US they aren't likely to be torturing you u

      • by 1s44c (552956)

        Sure that is funny, but that comic isn't as true as you think. The only people who will beat you until you give up the key are those that a) can get away with it, b) know that you have what they want. Criminals who steal hard drives, etc. aren't going to go breaking legs for the encryption keys because they don't know whats on the disk and would likely goto jail for it. Even government agents would have to know that you have what they're looking for, and in the US they aren't likely to be torturing you unless you're actually important. They might put you in jail however.

        Government agents won't torture you themselves, they will convict you for obstructing their investigation and lock you up for many years with a bunch of violent people. This applies to anyone who doesn't willingly hand over their encryption keys. Most likely it also applies to people who really have forgotten or lost their encryption keys.

        Encryption is only protection from unskilled thieves, and agencies who don't want you to know they are watching.

      • by tqk (413719)

        ... and in the US they aren't likely to be torturing you unless you're actually important.

        So, I guess you've not heard about all the FAIL that the US gov't bought itself by waterboarding prisoners? Evidence obtained illegally is inadmissable (in theory).

      • You are important - once you've been tortured - then your freedom and even life is very embarrassing.

        It only takes one idiot with an itchy torture finger and then they can never afford to let you go.

    • by Anonymous Coward

      Yes, but no. The US 9th Circuit recently affirmed that the government has the right to seize and search, without a warrant, any laptop entering the US. For activists who travel, this is a big deal. Will Yemeni security beat you with a wrench? Yes. Will the US? Not in a US airport. The assumption used to be that the US also wouldn't make copies of your data for offsite inspection just for the hell of it, but they are, some 5000 times in the last five years.

    • by bingoUV (1066850)

      Hey, it used to be $1 wrench in this comic. Inflation finally getting to XKCD?

  • by Anonymous Coward

    I've had some loopback containers using AES-256 since years and years. Recently after upgrading to Ubuntu 11.04, the same containers no longer will mount, yet I can create brand new ones which work fine. It seems that the old ones are not forward compatible.

    Has anyone else noticed this, and if so, what can be done about it? It's really kind of annoying to have to install a whole VM of an older OS just to access my old loopback container files!

    • by St.Creed (853824)

      It's open source. You can write your own code to solve it :)

    • Re: (Score:3, Informative)

      by Anonymous Coward

      The default cipher and flags changed, be sure to find out what they used to be.

      I had this problem too and by setting explicit opt got it working

  • encfs? (Score:2, Informative)

    by Anonymous Coward

    Really, no encfs? Used it for years -- works great, never had any hiccups with it.

    • by Nerdfest (867930)
      It works really well in conjunction with DropBox or other cloud data services as well.
  • by RenHoek (101570) on Saturday April 09, 2011 @06:28PM (#35770406) Homepage

    http://www.truecrypt.org/ [truecrypt.org]

    There we go.. I don't understand this is still a question.

    • by Anonymous Coward

      Everyone using Truecrypt would be as bad as everyone using Internet Explorer was. Monocultures are foolish, period. The more targets there are for adversaries to attack, the less likely it is that any of them will be breached.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Because of these reasons:

      http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/ [privacylover.com]

      Don't misunderstand me, I like Truecrypt. But security must also involve trust, and, to date, there is no total transparency about Truecrypt's developers.

      • > But security must also involve trust, and, to date, there is no total transparency about Truecrypt's developers.

        Wow, the developers who created regime-threatening encryption software registered their domain at a fake address. The makers of a powerful privacy tool seem to like privacy? Scandal!

        Code review or STFU. I don't see what else could matter than what's in the source.

    • by Anrego (830717) * on Saturday April 09, 2011 @07:00PM (#35770598)

      dmcrypt for me!

      But yeah, truecrypt and dmcrypt are all people really need to know about. They both do mostly the same thing with slight variation, which people choose is down to preference.

      LoopAES is outdated, cryptsetup is a userspace tool linked to dm-crypt, and the other is specialized.

      Pretty lame article.

    • by westyvw (653833) on Saturday April 09, 2011 @07:57PM (#35770962)

      I used to set up encryption using fuse and encfs. That worked well enough for me. The problem I have with Truecrypt is that I have to define a file size before hand. Is there a function for Truecrypt to use cowfs or auto resizing files?

      • Is there a function for Truecrypt to use cowfs or auto resizing files?

        Yes. I thought "dynamically expanding file" was the default during volume creation?

    • You can't encrypt the Linux root filesystem with TrueCrypt. That's where the other tools come in.
    • by asnelt (1837090)
      The problem is that TrueCrypt is not free software. It is open source but you don't have the freedom to distribute your own modified version. Therefore, there cannot be any community-driven development of TrueCrypt and - unless you can fix things that you don't like yourself - you are subject to the whim of the original developers of TrueCrypt.
      • Re: (Score:3, Informative)

        by asnelt (1837090)
        Sorry, I just noticed that you can now distribute modified versions of TrueCrypt. They must have changed the license.
    • by DiSKiLLeR (17651)

      Regarding TrueCrypt, some of the stuff is simple enough. Encrypted filesystem inside a file, or encrypted partition. Okay. I've done enough under linux with mounting filesystems within files and other stuff to understand how that works very easily.

      But then... what boggles my mind, is, how do some of the features of full disk encryption even work?

      What performs the decryption while the operating system (whether it be windows or whatever) loads?

      And how can your system disk be in a half encrypted half not state

      • For whole disk encryption, TrueCrypt installs a driver between Windows and BIOS that provides transparent crypto service to Windows. And it's only for Windows. For Linux whole disk encryption, something like LUKS is needed.
    • I've never understood using truecrypt when you can just use the built-in LUKS feature set.

      • by sauge (930823) on Sunday April 10, 2011 @12:26AM (#35771986)
        Cross operating system compatibility. I can put something (like my tax info) on a true crypt disk on my Mac, and then email it to my mom (an accountant) who can open it on her windows PC.

        Which leads to another benefit, my mom is no system administrator, but she can open a file, enter a password, and double click the file within.

        Further more, if I want to deal with it - I can put it on my Linux machines.

        Finally, if a technician needs to fiddle with the system, I can unmount the drives and let them in with (less) worry about what they may find. (Tend to deal with health care information.) In other words, I can compartmentalize who can see what.
        • by Fnord666 (889225)

          I can put something (like my tax info) on a true crypt disk on my Mac, and then email it to my mom (an accountant) who can open it on her windows PC.

          You really don't have to go to the extreme of mailing your Mac. Just have her use logmein [logmein.com] for instance.

    • by gust5av (1542231)

      Check this out:

      http://sourceforge.net/projects/stlth/ [sourceforge.net]

      It's like Truecrypt but based on dm-crypt, GPL and supports unlimited numbers of hidden volumes.
      That's real plausable deniability, unlike Truecrypt.

    • by npsimons (32752) *

      http://www.truecrypt.org/

      There we go.. I don't understand this is still a question.

      This is why [debian.org]. Also, dm-crypt/luks is included with Linux by default and Debian makes it dead simple to setup whole disk encryption on a fresh install; I believe that truecrypt won't work for whole disk encryption for Linux.

      All due respect to the truecrypt guys and their work (cross-platform encrypted images are awesome), but the only reason Windows and OSX need truecrypt is because they don't have something like Linux's dm-cr

      • by gozar (39392)

        All due respect to the truecrypt guys and their work (cross-platform encrypted images are awesome), but the only reason Windows and OSX need truecrypt is because they don't have something like Linux's dm-crypt.

        With OS X you can use Disk Utility to create encrypted sparse images, which are nicer than Truecrypt volumes for some things. Especially since sparse disk images only take up as much space as what is stored on them. Not cross platform though. :-(

  • Where's eCryptfs? (Score:2, Insightful)

    by Anonymous Coward

    eCryptfs is the default disk encryption technology shipping in Ubuntu. You can turn it on from the installer. How does that not make the list? I've never even heard of SD4L.

    • by Anrego (830717) *

      Possibly because it's a file system level encryption tool vice a full disk encryption tool. Then again, they included cryptsetup which is just a userspace utility for dm-crypt, so I'd chalk this up to just being a lame article!

  • Isn't everyone concerned about security already using hardware encryption - which is higher performance, and built in to almost every hard drive?

    https://secure.wikimedia.org/wikipedia/en/wiki/Hardware-based_full_disk_encryption [wikimedia.org]
  • Yes its wonderful, but what if a user stores his /home on same partition as OS install (bad I know, but happens) and uses encryption? If the OS crashes how can recovery be done of users data? Is there a way to recover encrypted data on a drive? Or is it a double edge sword kind of thing?

    • by LilWolf (847434)
      As long as you know the pass phrase used for the encryption you can stick a LiveCD in and mount the encrypted partitions. The way it's done depends on what was used for the encryption. Google is your friend for finding a relevant HOWTO ;)
  • For most of you this will be obvious, but -

    If someone steals you computer (home or laptop) your password is useless to protect it; all they have to do is put your drive in their system and presto, they have access to everything on your disk(s).

    And you might be surprised at how many logins are saved on your disk (web pages, mail servers, etc.), and how many are unencrypted or only very weakly encrypted. (For that matter, they can just run the same application using your configuration files, and never have to

    • by MacTO (1161105)

      I usually recommend the opposite. There are cases where encryption is necessary because confidential data is being handled. The flip side is that full disk encryption makes it difficult, if not impossible, to recover data from corrupt file systems or failing hard drives.

      • I usually recommend the opposite. There are cases where encryption is necessary because confidential data is being handled. The flip side is that full disk encryption makes it difficult, if not impossible, to recover data from corrupt file systems or failing hard drives.

        I recommend instead making regular backups to a separate disk, also encrypted.

      • Backups are a better solution than disk recovery.

        I don't recover disks anymore, we just reformat and reinstall for everything these days. I can reinstall a Linux box in under an hour and a Windows machine in a bit more. Restoring from backups is simple enough after that.

        I don't want data on the drives to be recoverable, because it may not be me doing the recovering.

    • by Gordonjcp (186804)

      You should encrypt the disks on every computer.

      What, even when it's massively inappropriate to do so? I can't think of any circumstances under which I'd ever use even FS encryption, never mind full-disk encryption. Disks are slow enough as it is.

  • by countertrolling (1585477) * on Saturday April 09, 2011 @06:56PM (#35770570) Journal

    It's an ad link site [linuxlinks.com].. Turn off your cookies on these guys..

    Information that is provided to advertisers consists of aggregate statistics that we collate. This includes geographical and psychographic* information.

    When links are submitted to our site, we request that the sender provides us with their real name and email address.

    You know the routine..

    *Huh??

  • Doesn't matter if the link is in the post or not. The article left out luks

  • I bought a cheapie netbook. I'm trying this out now with Ubuntu Alternate. Should be interesting on the Atom based piggie.

    • I bought a cheapie netbook. I'm trying this out now with Ubuntu Alternate. Should be interesting on the Atom based piggie.

      I've done what you describe and would like to share my experience. I've been running ubuntu with a luks encrypted root drive on an atom netbook for over a year on several systems. I've installed luks on internal HD's, external HD's, SD cards and USB sticks. Also I did experiment with further encryption of home directories using ecryptfs.

      Using luks does slow your computer and each additional level of encryption adds to this delay. I have no real measurements but I could "feel" the lag and estimate it to be 1

  • Anyone care to suggest their top five for OS X? Slap me if that's already covered in another post. - DX
    • System Preferences -> Security -> FileVault

      Turn it on.

    • by Voline (207517)

      If you're worried that a proprietary framework might be compromised by the Government threatening/bribing Apple into implementing a back door ...

      "We can make that FCC investigation into the back-dating of executive stock options go away, Mr Jobs. If you'll cooperate with the government ..."

      ... or you just want a solution that works better with Time Machine than FileVault does, here is a How-To [blogspot.com] on getting EncFS full-disk encrytion working on Mac OS X.

      Nota bene: I have not tried this yet myself.

      • by GCsoftware (68281)

        Erm, even the author of that states that these issues are now fixed with Snow Leopard and recommends against using EncFS on OS X.

        Also, you can't use EncFS on your whole home dir as it doesn't support some extended attributes that OS X relies on.

    • by Cybersonic (7113)

      I agree that you might need to look at a proprietary solution for OSX.

      PGP (now owned by Symantec) and Guardian Edge (also owned by Symantec) would work.

      Pointsec (now owned by Check Point) also supports OSX.

  • xxxxxxxxxxxxx
  • BitVisor [bitvisor.org] is open sourced (BSD licensed). It can provide both disk encryption and transparent VPN/IPsec support to multiple OSes (Win, Linux, ...)

    It's a little annoying when people try to make definitive lists, but don't include rather popular options on their list. Do list makers not have Google?

  • Whole disk encryption has a side-channel cracking, which is very trivial.
    http://en.wikipedia.org/wiki/Cold_boot_attack [wikipedia.org]
    http://it.tmcnet.com/news/2010/03/30/4700389.htm [tmcnet.com]
    ANY WHOLE HARD DRIVE ENCRYPTION IS PRONE TO A SIDE-CHANNEL ATTACK.
    • by rainsford (803085)
      Those attacks also work just as well on ANY encryption product, it is not a weakness specific to Truecrypt or any other whole disk encryption program. Being able to read RAM through firewire or read old values after the computer is turned off and back on is a fundamental weakness of modern computer systems that encryption software can't really solve.
      • Precisely the reason I put the emphasis on ANY.
        But the Passware forensic tool is focused on Truecrypt and Bitlocker Whole Disk Encryption... and it is so trivial that even a trained monkey could do it (aka. IT guy)
  • just some links with ads
  • These tools are fine for personal use - but not easily adapted to corporate use e.g. PCI DSS. Mandatory requirements for PCI DSS include key management under dual control and split knowledge.
    As such, commercial tools still rule in the storage encryption space.
    And I'm no programmer, so I can't resolve these shortcomings.
    lyalc

  • We all know that from a technological point of view we should be satisfied. But don't you think we should spend some time in "spreading the word" and teach people that encryption should be considered in our life as a concept? Until we don't let people understand how important encryption is, all those tools out there will just waste space on hard drives. I think the culture of encrypting documents and communication in general is missing. Until we don't have that culture all the technology that already solves

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...