Disk encryption software

From Wikipedia, the free encyclopedia

To protect confidentiality of the data stored on a computer disk a computer security technique called disk encryption is used. This article discusses software which is used to implement the technique (for cryptographic aspects of the problem see disk encryption). Compared to access restrictions commonly enforced by an OS this technique allows to protect data even when the OS is not active, for example, if data is read directly from the hardware.

Such software encrypts data stored on a computer's mass storage and transparently decrypts the information when an authorized user requests it: no special action by the user (except supplying a password or passphrase at the beginning of a session) is required. Some also provide plausible deniability with deniable encryption techniques.

The volume-level encryption is particularly suited to portable devices such as laptop computers and thumb drives. If used properly, someone finding a lost device will have access only to meaningless encrypted files. A strong passphrase (e.g. five or more diceware words) is essential for full security.

Although disk encryption software can transparently operate on an entire disk volume, a directory, or even a single file, it is important to differentiate it with (non-transparent) file encryption software which encrypts or decrypts only individual files and always the whole file (the decrypted file is stored in a temporary file in an unencrypted form). Examples of software which can be used for file encryption are special-purpose software (e.g., GNU Privacy Guard), file archivers, and even some text editors (e.g., emacs or vi)

Contents

[edit] Notable disk encryption software

[edit] Windows/PocketPC

[edit] Windows

[edit] Windows/Linux

[edit] Linux

  • aespipe, program to encrypt a file stream with the AES algorithm with key lengths 128, 192 and 256 bit.
  • dm-crypt, included in the mainline kernel starting with version 2.6.4. Kernel versions earlier than 2.6.19 contained a bug that could cause data corruption when used together with software RAID5.[citation needed]
    • cryptmount allows mounting dm-crypt volumes without superuser privileges.
    • LUKS (Linux Unified Key Setup) aims to improve dm-crypt key management.
  • Cryptoloop, a "loopback" encryption method, is included in the mainline kernel but has some security weaknesses and has been deprecated in favor of dm-crypt.
  • eCryptfs, a stacked filesystem in the kernel version 2.6.19.
  • EncFS uses FUSE, provides an encrypted filesystem in user space.
  • loop-AES supports kernel 2.0.x onward; no kernel patch required, but requires loading of a kernel module. Is one of the most mature methods.
  • PhoneBookFS is another encrypted filesystem in userspace using FUSE, providing a higher level of deniable encryption through chaff and layers. No longer maintained.
  • rubberhose, last version (alpha) released in 2000. Never released a beta version. Not maintained. Only works with the Linux 2.2 kernel which is also no longer supported by Linus Torvalds.
  • StegFS, the current successor to the ideas embodied by the rubberhose and PhoneBookFS filesystems and in need of developers.

[edit] BSD

[edit] Mac OS X

  • Disk image support includes optional AES-128 encryption.
    • Since 10.3, FileVault uses this capability to provide an encrypted home directory.
  • "Secure virtual memory" support since 10.4.

[edit] See also

[edit] External links