This is an old revision of this page, as edited by Maxt (talk | contribs) at 10:43, 23 December 2006 (→Reverted vandalism. The dispute has been discussed sufficiently and no new arguments have been presented.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
Revision as of 10:43, 23 December 2006 by Maxt (talk | contribs) (→Reverted vandalism. The dispute has been discussed sufficiently and no new arguments have been presented.)(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)To protect confidentiality of the data stored on a computer disk a computer security technique called disk encryption is used. This article discusses software which is used to implement the technique (for cryptographic aspects of the problem see disk encryption). Compared to access restrictions commonly enforced by an OS this technique allows to protect data even when the OS is not active, for example, if data is read directly from the hardware.
Such software encrypts data stored on a computer's mass storage and transparently decrypts the information when an authorized user requests it: no special action by the user (except supplying a password or passphrase at the beginning of a session) is required. Some also provide plausible deniability with deniable encryption techniques.
The volume-level encryption is particularly suited to portable devices such as laptop computers and thumb drives. If used properly, someone finding a lost device will have access only to meaningless encrypted files. A strong passphrase (e.g. five or more diceware words) is essential for full security.
Although disk encryption software can transparently operate on an entire disk volume, a directory, or even a single file, it is important to differentiate it with (non-transparent) file encryption software which encrypts or decrypts only individual files and always the whole file (the decrypted file is stored in a temporary file in an unencrypted form). Examples of software which can be used for file encryption are special-purpose software (e.g., GNU Privacy Guard), file archivers, and even some text editors (e.g., emacs or vi)
Notable disk encryption software
Cross-Platform
All programs included in this section run under more than one operating system.
Remark: Software that runs on two versions of one operating system is not considered cross-platform. For example, even though Windows 3.11 and Windows Vista are substantially mutually incompatible, they are merely two versions of one operating system.
Windows/Linux
- TrueCrypt (open-source, free), in addition to encryption provides plausible deniability.
- BestCrypt (commercial), with plausible deniability.
- CompuSec (proprietary, free and commercial versions) supports encrypting the boot volume.
Linux
- aespipe, program to encrypt a file stream with the AES algorithm with key lengths 128, 192 and 256 bit.
- dm-crypt, included in the mainline kernel starting with version 2.6.4. Kernel versions earlier than 2.6.19 contained a bug that could cause data corruption when used together with software RAID5.
- cryptmount allows mounting dm-crypt volumes without superuser privileges.
- LUKS (Linux Unified Key Setup) aims to improve dm-crypt key management.
- Cryptoloop, a "loopback" encryption method, is included in the mainline kernel but has some security weaknesses and has been deprecated in favor of dm-crypt.
- eCryptfs, a stacked filesystem in the kernel version 2.6.19.
- EncFS uses FUSE, provides an encrypted filesystem in user space.
- loop-AES supports kernel 2.0.x onward; no kernel patch required, but requires loading of a kernel module. Is one of the most mature methods.
- PhoneBookFS is another encrypted filesystem in userspace using FUSE, providing a higher level of deniable encryption through chaff and layers. No longer maintained.
- rubberhose, last version (alpha) released in 2000. Never released a beta version. Not maintained. Only works with the Linux 2.2 kernel which is also no longer supported by Linus Torvalds.
- StegFS, the current successor to the ideas embodied by the rubberhose and PhoneBookFS filesystems and in need of developers.
BSD
- CGD for NetBSD
- GBDE and GELI for FreeBSD
- vnconfig -k for OpenBSD
Mac OS X
- Disk image support includes optional AES-128 encryption.
- Since 10.3, FileVault uses this capability to provide an encrypted home directory.
- "Secure virtual memory" support since 10.4.
Windows
- BitLocker Drive Encryption will be available in the Enterprise and Ultimate editions of Windows Vista.
- CrossCrypt (open-source, free) supports Linux loop-AES format and old SuSE Twofish format.
- FreeOTFE (open-source, free), also provides plausible deniability and has support for Linux disk formats (cryptoloop, dm-crypt and LUKS).
- FreeOTFE4PDA (freeware) runs on Windows Mobile.
- Scramdisk
See also
External links
- Template:Dmoz
- Detailed wiki-style article on disk encryption at infoanarchy.org
- Inside NetBSDs CGD
- Encrypting filesystems under Linux - HOWTO
- Cryptoloop - HOWTO