What are Reddit's favorite Disk Encryption Apps?
VeraCrypt
LUKS
TrueCrypt
CipherShed
Windows BitLocker
LibreCrypt
eCryptfs
FileVault
EncFSMP
DiskCryptor
Knox
Top Reddit reviews mentioning Disk Encryption Apps:
BIOS passwords are often poorly implemented and easily defeated by simply pulling out the mobo battery to reset the CMOS.
Windows passwords are laughably easy to just delete or get around.
It's also likely that your password just isn't as strong as you think it is and he's guessing it.
If you really want to lock things down, I'd encrypt the drive with Veracrypt, follow their steps for System Encryption, and make sure the password you use is something strong and non-personal that he can't guess. There is no way around this password, so make sure you do not forgot it, as you'll have to type it in before windows loads. If you forget it, you can't access anything on your computr and will have to wipe it and reinstall windows.
I'd also highly recommend backing up any important data before encrypting the drive.
I think VeraCrypt is close to what you want. You can encrypt (password protect) entire drives or you can create a virtual encrypted disk within a file and mount it as a drive.
Not as easy as setting a password to a folder but still... works pretty well for me.
1) Install a second drive which is >= 4 TB
2) Download and install Veracrypt
3) Create & mount appropriate Veracrypt container(s) on 2nd drive
4) Copy all files from 1st drive into Veracrypt container(s) on 2nd drive
5) Dismount Veracrypt container(s) on 2nd drive
6) Ensure that you will not forget the password(s) to your Veracrypt container(s)
7) Give your friend the 2nd drive
I recommend making a wallet on https://myetherwallet.com, downloading the keystore file onto a usb encrypted with Veracrypt. It's like a cheap but somewhat secure version of a hard wallet.
I recommend only using open sourced software, that way you know there's no backdoors installed in it. Good open sourced encryption would be things like veracrypt. Veracrypt is good for encrypting USBs and files. Linux uses LUKS for full disk encryption, which is open sourced. Also I think linux updates their system more than windows. Back when I was still using windows, I would get like bi-monthly updates. It's not uncommon for me to get weekly sometimes twice weekly updates on my linux machine. They patch their system more frequently, and I check for updates everyday because you could miss one if you only check every so often.
I'd recommennd LibreCrypt.
It has an Open Source license; works on both Linux and Windows; and uses the standard Linux LUKS architecture; which has been more vetted by third party security researchers than pretty any other full-disk encryption alternative (including bitlocker).
Edit: for those who don't know what plausibly deniable encryption is: TrueCrypt allows you to setup (and later give out, gun-to-your-head scenario) a secondary password that will open a secondary, non-sensitive container. It is mathematically impossible to tell whether an encrypted archive has 1 or 2 passwords.
That's how you circumvent this problem.
I can save you from reading the rest of the comments and say that nobody knows. It's the same theories about being raided by the FBI and some still believe that it's secure to use.
This is the fork of Truecrypt plans on having active development after the TrueCrypt audit is complete. https://ciphershed.org/
Anybody who is thinking about plausible deniability should read the cryptsetup FAQ about it: 5.18 What about Plausible Deniability? It may be not a so good idea.
LUKS is the "main" Linux solution for disk encryption.
Here's the Archlinux wiki page on disk encryption, you might find it helpful.
That's definitely disk encryption. Here's some more information.
Unfortunately, unless you can get the passphrase (yes - doesn't have to be a short password, it can be quite long - a phrase, song verse, or so on) from some other thing (guess? written down somewhere?) you're not going to get the data off of it.
The good news is you should be able to try as many times as you want, I don't believe it has any kind of a self-destruct mechanism.
Very big. 1000 iterations was fine at 2004 standards but NOT by today's standards at all. Generally, VeraCrypt is just ons big security improvement. They are committed and that's what we need to see. I know there is also the TrueCryptNext project but I feel like VeraCrypt is already the successor to TrueCrypt. No need for shit like CipherShed or https://truecrypt.ch when we have Mounir putting in countless hours to VC. Glad it is getting a code audit finally.
Change of subject.. Can't recommend this encryption software enough. VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. Oh.. and they accept Monero donations.
Basically, TrueCrypt was open source powerful encryption program that was extremely effective to the point where intelligence agencies we're unable to crack it, until one day the TrueCrypt project was discontinued and the website heavily endorsed using Microsoft's built in BitLocker encryption instead, knowing that large corporations such as Microsoft work hand and hand with intelligence agencies, this was before the adoption of warrant canaries, so we can only assume that this sudden endorsement of a much weaker program was a coded attempt by the developers to tell us that they had been compromised and were under some sort of gag order.
TrueCrypt was discontined and forked off into VeraCrypt.
I'm not sure what you're talking about. On Linux the de facto standard for disk encryption is LUKS and has been for years. It's very well integrated these days and is completely transparent in normal use.
non ho mai usato un disco attaccato alla porta usb del router ma di base dubiterei della stabilità.
detto questo puoi creare dei contenitori criptati con veracrypt (https://www.veracrypt.fr/en/Home.html) e metterci dentro tutto quello che vuoi.
I wrote a journal in the 6th grade. My stepsister found it three pages in and made fun of me. I stopped writing a journal.
Now I have a log (since three years ago). Basically a text file (org mode) next to my TODO list; it's secured in an encrypted partition (veracrypt). I only log what I did on the particular day: exercise, tasks at work, expenses, progress in books etc. This is useful for two reasons:
- I have poor memory and forget what I did last week, when someone asks. Thanks to the log, I can look it up.
- It helps with establishing habits. For example, I exercise every day, so that I can write it down, because future me would be disappointed with present (past) me, when reviewing the log. I sometimes make statistics to see progress (it's also helped me realize that I did actually meaningfully contribute at work, even though I didn't realize it).
I could use 3rd party services instead, but I've been disappointed with some (last.fm, endomondo becoming more commercialized), and there are privacy risks, when someone else is in control of the data (security breaches aside, the user is the actual product more often than not).
We use VeraCrypt on any laptops crossing boarders. Plausible deniability through hidden volumes. Suck it, Mr secret agent man.
Not that I'm ever carrying secret squirrel data (passwords in Keepass DBs sometimes), but I hide any pirated movies or shows on my laptop when flying internationally.
Phones? Meh. I just assume anything on my phone is accessible by anyone, and act accordingly.
Hasn't happened yet, but company policy is to scrap any device that gets taken away for examination. Who knows what cyber cooties it's been infected with.
LUKS does something similar in that you need to store something in addition to your ciphertext:
On encryption, LUKS derives the key via PBKDF2 from the password. The key is kicked through PBKDF2 one more time and saved as the "key checksum". On decryption, a password is only accepted if PBKDF2(PBKDF2(password)) == key checksum. See Page 11 https://gitlab.com/cryptsetup/cryptsetup/-/wikis/LUKS-standard/on-disk-format.pdf
This construction reuses the assumptions that PBKDF2 can't be inverted. I chose this because I felt that mixing in cipher primitives added unnecessary parts to the whole construction.
You have probably heard that to write fast SSDs need the free space initialized with zeroes. So SSDs are constantly erasing themselves in the background. That is called 'trim' or 'discard' operation.
​
If you properly initialize your encryption you will have the whole disk filled with random-looking data. Then when you use your disk you will replace this data with another random-looking data. The SSD will have to first initialize the area you want to write to with zeroes and then write new data you want to store. The preformance will drop at least two times killing the SSD advantages. You can expect SSD lifetime to drop two times too.
Also some controllers use compression to speedup operations, and will loose performance not being able to compress random-looking encrepted data.
​
To avoid that you can allow trim/discard to initialize empty space with zeroes, but then anyone looking at your SSD will know where and how much space are you using. Also forensics experts can determine what type of filesystem you are using (ext4, ntfs, etc.) So you trade some privacy for preformance.
​
Another aspect of SSDs is that they reserve some space for 'garbage collection'. When you see Kingston 480 GB disk it means that there is 512GB chip inside with 32 GB reserved for trim. Some manufacturers reserve more, some less, but they all do it. Firmware is in control of that area, and it doesn't disclose anything about it's algorythms. So on a magnetic HDD you can simply erase your LUKS header and be sure your data is safe. But you have no control over SSD. Even if you overwrite it multiple times - you cannot touch the reserved area.
​
Also please read answer 5.19 of this FAQ: https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions
> which has many 'eyeballs' on it since its's open source
4 contributers, 3 of which have 2 or less commits and 60 tickets with only 19 closed is hardly "many eyeballs". Also no updates in 6 months and a ticket open asking where the maintainer has gone
Too late for this time --- but moving forward, if you use Full Disk Encryption just change your passphrase to something huge and random. I like LUKS for Linux and LibreCrypt (which is a port of LUKS to Windows) for Windows.
But don't trust the full-disk-encryption built into the hard drives --- those are known to have so many serious weaknesses that they're probably intentional back-doors.
>>> Overall we analyzed 6 different hardware models spread and well-distributed in the global market. We show the security concept intended from WD and present vulnerabilities on different hardware models. These findings range from easy eDEK leakage s to perform off-line password brute-force to complete backdoors and plain KEK storage, resulting in complete security bypass. ... We were able to extract the bridge’s firmware and eDEK in every hardware model with ease by software and/or chip-off ... The preinstalled VCD software that runs on hosts was found to generate weak key material .... The RNG generator of the JMS538S has been shown to be predictable, as it returns 255 different bytes in a specific order ... Further analysis showed that the factory set DEK on JMS538S d evices are attacked with a simple table lookup attack ... The weakest hardware model in terms of security is the INIC-3608 bridge. The chip does not support hardware accelerated AES encryption, and it’s main purpose is the bridging and user authentication. The authentication is done by a simple memory compare matching with a stored plain KEK ... We were also able to bypass the ATA password set by the USB bridge with commercial tools, allowing data-access.
TL/DR: Next time use F/OSS software-based full-disk encryption
You can use LUKS/dm-crypt with NTFS or FAT32 on top and mount it under Windows with LibreCrypt
As for your second question:
Try if the Windows built from the official repository is portable, otherwise: No
> You should make sure you remember your email, master password, and your 2fa recovery code. Perhaps print them out and store them somewhere safe? Or keep them in an encrypted archive and make sure you have a copy offsite. > > I would also highly recommend backing up your vault occasionally, just in case. You can search this Reddit for how to do that (depends on your OS and device a bit).
For the latter, I would recommend exporting the vault to an encrypted VeraCrypt container. You can then backup the container like a regular file (external disks, cloud storage, etc).
Copying my top level comment here:
If he had turned on FileVault then this wouldn't be possible.
Without FileVault, your data is only protected by file permissions (which means if you can get root/admin access, you can see any of it, which as you discovered, reinstalling the OS (or even booting to the recovery partition) will allow you to do. If they have physical access to the machine, they WILL be able to see your data without FileVault enabled. It's just a matter of them knowing how. The same goes for Windows, and maybe even Linux (though I'm not as knowledgable there)
WITH FileVault, your data is encrypted, and cannot be seen without putting in your account password or recovery password. If you don't remember/know either password, the data is completely useless. So even if he was dumb like he was and didn't format before reinstalling, his user data would have been completely encrypted and inaccessible (assuming he didn't have auto-login on, but why would you do that if you are concerned with security?)
There are two promising projects building on TrueCrypt code, though I wouldn't trust them without looking at the diffs manually. That said I did quickly glance over VeraCrypt's changes and it seems that the majority of the patches are related to fixing the problems uncovered in the TC security audit.
The current version of TrueCrypt is compromised by its authors but the previous version 7.1a is thought to be good although with a few weaknesses. See here for more details. TrueCrypt remains very interesting because of its cross-platform nature. Not only does it run on multiple systems, the volumes are largely portable between them.
Someone else has already mentioned the ciphershed project whose aim is initially to make an easy to build copy of TrueCrypt with known weak points cleaned up.
First, there's only one FDE in Linux (LUKS / Crypsetup), so there's no such thing as one full disk ecnryption packaged with Mint and one with Manjaro.
Still, from the top of my head, Mint will default to LVM when choosing FDE, while I'm pretty sure Manjaro doesn't. Can't tell if it makes any huge difference.
The screen with a countdown is GRUB. You can get rid of it (the Timeout) if you want by editing /etc/default/grub then run sudo update-grub.
You can't normally add second or third chances to enter your passphrase in this case. I know there are some very unnofficial patches (like creating a nuke fake passphrase), but I wouldn't recommend starting to mess around with it, especially since you seem to be in your early Linux stage.
While you at it, I'd suggest to explore Cryptsetup, starting with cryptsetup luksHeaderBackup :) . More over there
After loading the Linux kernel a minimal environment is loaded from initramfs (mkinitcpio). Initramfs uses cryptsetup to setup your block devices.
You probably want to patch cryptsetup and put your modified version into the initramfs image in /boot
Here is the source: https://gitlab.com/cryptsetup/cryptsetup/blob/master/lib/setup.c#L472
DiskCryptor and Truecrypt 7.1a will both do full disk encryption. I have heard that Diskcryptor allows for key files or otherwise can be made to need a usb stick for a disk encryption boot, but I have never used it so I don't know for sure, or how it works. Truecrypt can NOT use anything except a password for whole disk encryption, so I know for sure it doesn't do what you want. I would look into the documentation on Diskcryptor.
If you're looking for something portable, that works with multiple OS's try VeraCrypt (a continuation of TrueCrypt). It doesn't do individual file encryption but will let you create an encrypted container to store files and folders in.
There are pretty cool encryption tools and methods available. https://www.veracrypt.fr/en/Home.html
However, if the border agents find you using one of these tools, you're immediately in the very suspicious category.
There's no Mac virus in the wild. Malware will ask for your password. OS X scans for known malware. And per default only apps signed with a certificate from Apple will run (you can override by right clicking and choosing 'Open'). But it's relatively easy to get to your data if you have physical access. Enable File Vault (full encryption of your disk) and/or set a firmware password.
If in doubt, scan files you downloaded or files you forward to a Windows machine with ClamXav.
You didn't say your OS, but you could use a solution based on encFS, flavors of which are available on Windows, Macs, Linux, and Android. BoxCryptor is probably the biggest name using encFS under the hood, and I believe it works with Amazon Cloud. I have not used BoxCryptor.
encFS will encrypt both filename and file. It works well once it's up and running. I use it to mount an encrypted Dropbox folder as a drive letter in Windows. The drive letter acts like the normal files, but the Dropbox folder looks like it's full of random junk. I can also access those encrypted files through Android once Dropbox has synced (the Android program is called EncDroid).
On my Windows system, I use encFSPlus, but I probably wouldn't recommend that any more as it seems to not be updated. This, however, looks like it might work: http://encfsmp.sourceforge.net/
It says right on the website that: (Please note: currently unmaintained, which might have security implications)
I would much rather go with https://ciphershed.org/ since they are working with the 7.1a code and trying to make it better.
You may be interested in Veracrypt: https://www.veracrypt.fr/en/Home.html
Alternatively, build a dedicated machine for backups using something like FreeNAS that handles all the encryption for you. You can even have it automatically back up (encrypted) data to cloud storage so you don’t have to worry about floods, fires, etc destroying all your data.
As redditors have advised - Blame it on a virus, you noticed pop ups, computer slowing down, started noticing random files and folders being created.
Secondly, I advise installing Veracrypt - It's an encrypted container that has the option of setting up an hidden volume.
For example - If you are forced to open your shipping container, your secrets are exposed (normal Veracrypt volume).
However, you plan for the above, and you create a secret hidden area inside that shipping container that is physically impossible of exposing unless you want it exposed (hidden volume container).
So someone opens your shipping container and finds everyday items, nothing special...But you know there are little secrets hidden inside that oh-so-innocent volume.
Message me if you need more info.
Or come clean and have the adult conversation with your parents...Easier said that done.
Just for future reference, the firmware in Macs is EFI, not BIOS. And yes, you can set an EFI password, which would then need to be entered to choose alternate boot options upon startup.
That said, an EFI password would not prevent your data from being accessed if the drive were to be removed from the computer. The way to safeguard against this would be to use FileVault to set up disk encryption. Note however that this would prevent your OS X files from being accessible from Windows altogether.
An operating system is just a bunch of files. User data is also just a bunch of files. The two are not exclusively linked on any operating system. If you want to avoid what you discovered on OSX encrypt your HDD with FileVault http://support.apple.com/kb/ht4790 (do not store your key with Apple)
> despite the PR campaign to smear it,
The whole community around truecrypt always seemed a bit odd, though -- with their not-quite-open-source license, no open standard disk formats with third party applications, and not a lot of transparency regarding who was working on it.
I much prefer the approach taken by the LibreCrypt project.
It's Open Soruce, and works on Windows, but uses the standard Linux LUKS architecture; which has been more vetted by third party security researchers than pretty any other full-disk encryption alternative (including bitlocker).
TL/DR: check out LibreCrypt for a project taking a better (more transparent) approach
Disclosure: I am the maintainer of https://github.com/t-d-k/LibreCrypt
What Natanael_L says is correct, it's an encoding issue. In fact, you can use non-ascii characters in the password, and the container will open fine on a PC with the same default encoding.
At some point it will change to use pure UTF-8 internally, but that will be non-backwards compatible, so for now it's safer to only use ASCII.
About using encryption twice: the maintainer of ecryptfs wrote: "I use both dm-crypt and eCryptFS on my Ubuntu laptop ;-)" (although both ecryptfs and dm-crypt are part of the linux kernel. So they should be much better tested and evaluated than gocryptfs). He explains himself: "Every elevator you have ever used has redundant safety mechanisms. Your car has both seat belts and air bags. Your friendly cashier will double bag your groceries if you ask. And I bet you've tied your shoes with a double knot before.Your servers have redundant power supplies, and redundant hard drives." He wrote about Heartbleed and states that using encryption twice (like in a webservice he developed) would have prevented this disaster.
I think this view is quite rare.
The way to do it is to use eCryptFS. Use it to create an encrypted hidden sub-directory that gets mounted when you log in.
Ubuntu makes this really, really easy.
With that, you can use whatever program you want to sync the hidden encrypted eCryptFS directory. Just make sure you don't lose your private .ecryptfs directory, or else you may be left with unrecoverable files.
Okay, here's what I'm trying now, which seems to work but it's pretty slow.
Mount your ACD with NetDrive as a network drive, then mount a 2nd network drive inside of that using EncFS MP.
Then just copy files into the EncFS drive and use it like a normal drive. EncFS will handle the encryption and Netdrive will handle the upload/download.
The official TrueCrypt project was shut down by it's developers, likely for the same reasons the Lavabit admin shut their site down. The last stable version of TrueCrypt was audited, and most of the security holes that were found were fixed in the TrueCrypt forks, VeraCrypt, and CypherShed.
GPT is the partition table. The OS needs to be able to read that to have any idea what is on the disk, where the partitions are. It lets you have encrypted and unencrypted partitions and is widely understood by boot firmware (as a newer alternative to the Master Boot Record [MBR] specification).
The encryption is provided by LUKS. I believe Tails it uses an AES256 cipher for the encrypted data, though what ciphers are available depend on the Linux kernel and the setup options.
You can check it using cryptsetup luksDump
For more details: https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions
The main boot volume is unencrypted for several reasons, mostly that it gets copied to RAM anyway and stores nothing personally identifiable by design.
So, you have multiple backup copies of your LUKS header? Because if that gets corrupted, merely knowing the passkey isn't enough to decrypt your data.
And, no, there are no backup copies automatically created by any distro's installer. If you haven't manually created one, you're one bad disk sector away from being forever locked out of the entire LUKS device.
gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery
But we'll jump straight to the bad news:
>6.9 What happens if I (quick) format a LUKS partition?
>I have not tried the different ways to do this, but very likely you will have written a new boot-sector, which in turn overwrites the LUKS header, including the salts, making your data permanently irretrievable, unless you have a LUKS header backup. You may also damage the key-slots in part or in full.
The downside of strong encryption is that it's very easy to lose everything. Sorry.
Thats because it isn't an option during the creation of your encrypted drive on windows 10, not on windows 8. On windows 8 it might be safe. However BitLocker is a bit controversial, most technical people don't use it for one or both reasons: It's proprietory and it's from microsoft.
Personally I trust LUKS to be secure enough.
>Possible due to 1 it boots way faster. As soon as I logged in, I am good to go while on Windows I often had to wait at least half a minute until I was able to actually use the OS
What kind of storage are you running? I'm able to resume work in a few seconds from hibernation, fast start and cold boots on all of my computers.
>OS Partition is encrypted out of the Box in Ubuntu. No third party software necessary.
>Screenshots are so much easier as I can take them without having to copy them into some image editing software to save them. I press Print and bam: Screenshot saved to hard drive.
Windows + PrintScreen
Third party software like ShareX offer far more than that obviously.
>Kill Command over Terminal works so much better than Windows Taskmanager. I start Terminal, pull up my processes, kill the process ID and done. No weird loading around and messages about "Program not Responding" with a close button which does nothing. I kill a process, it is gone. Period.
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/taskkill
There are forks, like this.
The original devs "claimed" that TC is not secure, so I guess for many people that would cause enough of a doubt to not trust it.
Also, users need to trust devs of a fork, and we have no idea who they are (not that we knew original devs).
I personally don't see any reasons not to use 7.1a, if I needed encryption.
Yikes, I wouldn't download software from a website that doesn't support TLS. The best link I know of is https://truecrypt.ch/downloads/ . Bonus because it has PGP sigs and links to independent hashes.
Well, TC 7.2 allows you to only decrypt your TC volumes, all encrypting functions have been stripped from it. If you want to continue using TC, you can download 7.1a binaries from TCNext site.
As for TC forks, CipherShed is now in pre-alpha testing stage.
Encrypt your hard disks and storage mediums. TrueCrypt is not dead (new group taking over). The audit of TrueCrypt has been successful for phase 1, and it is still ongoing. I use it to encrypt my devices at the disk layer so you can't even boot the OS, let alone retrieve any data, without my lengthy key:
Also, use PGP when communicating with others:
http://www.reddit.com/r/DarkNetMarkets/comments/1qdzl8/guide_pgp_4_n00bz/
We know from Mr. Snowden the incredible depth that the NSA spying has. They literally can store EVERYTHING people are doing on the internet. The data centers are so incredibly vast it's mind-boggling. They store everything from your Google searches, to IM conversations, to FB posts, to even the facial meta data of you and your friends faces from your pictures on FB. Wonder why FB is so good at facial recognition when you upload pics? It's best to minimize use of these services, if use them at all.
-IT dude and programmer
Nice, thanks. So this, as opposed to the version above, is ready to be used right now without any possible problems I'd guess? And I've done some googling, does anyone know anything about this project https://truecrypt.ch ?
I believe Veracrypt (sort-of successor to Truecrypt) is able to encrypt a disk in-place, which offers the benefit of not needing to move the data before encrypting and ensuring that the plaintext is overwritten during the process. It also lets you use whatever filesystem you want and works on both Linux and Windows (maybe Mac not sure).
edit: It also allows for hidden volumes, meaning the fact that an encrypted volume exists on the drive can be hidden.
I don't think free cloud storage that respects your privacy exists. You could use VeraCrypt to create encrypted file containers, then upload them somewhere like Google Drive.
Yes, it is certainly possible. You need to consider the platforms you want to de-crypt on as well. If you're encrypting USB sticks, you most likely are after a cross-platform solution. I personally like to use Veracrypt.
This does not seem to be a good idea!
Please read the plausible deniability part (2.4 What is the difference between "plain" and LUKS format? and 5.18 What about Plausible Deniability?) of the LUKS FAQ!
>Second, there are two types of situations: Either they cannot force you to give them the key (then you simply do not) or they can. In the second case, they can always do bad things to you
(It is about plausible deniability, but it would work the same for wiping the drive, like "destroying evidence" or something like that.)
You have the option of storing your FileVault 2 key with Apple, so if you do lose it, you can simply call them, provide the answers to your security questions and they'll read the key off to you. More info here.
I think it's a good thing to have turned on, even for the off chance of your MacBook being stolen.
if you are serious about it being 'invisible' you should use a encryption system with 'deniable' encryption.
Truecrypt/Veracrypt supports a single 'hidden volume' which in theory cannot be detected without the password, and LibreCrypt supports multiple ones.
It is also possible to hide a disk in Explorer using a hack.
You can with the doxbox.sh script included with LibreCrypt. This automatically calculates an offset and uses it for a 'plain' dm-crypt volume, hidden inside a LUKS or dm-crypt volume. LUKS volumes themselves can't be hidden because it has a distinctive header.
Ya'll might consider this:
http://ecryptfs.org/about.html
It encrypts each file on disk, and you do a sort of "loopback" mount to present the unencrypted version to the system.
The nice thing about it is you can back up the underlying filesystem (with ZFS, zfs send and everything) and the data will remain encrypted in backups too, which won't work with the LUKS method mentioned below.
ecryptfs is not associated with ZFS; it works with any filesystem. That's what we use where I work for an encrypted file share.
First of all; Awesome article. I for one is also interested in a smartcard/encryption solution and have glanced at eCryptfs as it's "per-file", easy to setup with PAM and easier for backups as opposed to LUKS "block" encryption which is extremely fast and efficient, but cumbersome. There seems to be some yubikey usage out there as well.
There are various guides available, and it has been audited with some minor things found (https://defuse.ca/audits/encfs.htm). If you're on Mac or Windows, I'd recommend http://encfsmp.sourceforge.net/ over the encfs4win + dokan combination.
Yes, you can find them here. But please, bear in mind that these binaries shouldn't be used in production or for securing critical data, they've been released only for testing. So if you're planning to use them, be careful.
Hmm, this looks promising. How does this compare to the upcoming CipherShed, another TC fork?
I just tried installing them both, and CipherShed refuses to co-exist with TrueCrypt while VeraCrypt works just fine.
Truecrypt is being re-made/forked. It has multiple forks out using the second to last release as a base due to the breaking changes in the newest and last release that effectively turned off the crypto for new data written to disk.
The new fork everybody seems to be getting behind lives at https://ciphershed.org/
you would trust hardware encryption on where ever the drive is made?
there are now open source versions of truecrypt you can use.
https://ciphershed.org/ under developement but
you can compile it yourself from the source.
You can test the header by using the --header option when opening the LUKS device. If it's successful, this means that the header backup can be restored to the device and everything will work as expected.
Yes, persistence storage rely on LUKS which have such protection. See https://gitlab.com/cryptsetup/cryptsetup/-/wikis/FrequentlyAskedQuestions, particularly 5.9 and following.
Can access on another desktop or server providing you have the pass key or file. Just unlock/read by unlocking using luks. https://gitlab.com/cryptsetup/cryptsetup
None
1 key for all of the array. But can have multiple keys and change keys. There are a finite amount of key slots. I forgot how many. Once you reach that limit you will have to remove keys to add new ones but I personally do not see a need for more than one since it’s array wide
There's no rescue disk. You'll have to use cryptsetup to create a backup of the LUKS header (see the FAQ about that and all sorts of useful details). That's similar to one of the Veracrypt rescue disk purpose but there's no "emergency decrypt" or things like that. The header is a small file that contains needed information to unlock the drive, if it's damaged, all is lost. That's something I'm still hopping installers would one day mention instead of "don't loose your passphrase".
To access the encrypted volume from another system, the usual way is, again, to use cryptsetup from command line and then mount the partition but nowadays most graphical file managers will just prompt you for the passphrase and work their magic.
As for updates, there won't be any issues but it can happen on rare occasions and specific conditions. I don't recall seeing anything that couldn't be easily solved though.
In any case, just remember that encryption can backfire and that backups here are even less an option than usual.
The LUKS header is entirely at the beginning of the block device. Overwriting 2MB should be sufficient. Don't forget to shred any header backups you may have made.
However, the way that SSDs reallocate sectors during normal operation may leave chunks of the header laying about. Personally, I wouldn't worry about it, but if you want to be completely secure you'll need to run an ATA Secure Erase on the entire drive.
Regarding LUKS Vs Veracrypt : dont worry about that the main difference is that VC can encrypt your Windows drive in-place while LUKS/cryptsetup/dm-crypt implies a full reformat and reinstall. Both are bulletproof as long as your passphrase is. (angry infosec people, dont scream, just keeping it simple here)
I won't blame you for trying and I'm saying this in a friendly way but you shouldn't "vaguely remember" how you encrypted "something". So first, if you're prompted for a password at boot, your drive is fully encrypted. Otherwise, only your Home is. It's not a bad thing, just means that only your personnal user stuff is encrypted, not the whole drive.
Wich brings us to the big questions :
Why did you chose to encrypt ?
Are you planning to have backups ? Because, well you know, encrypted data are meant to be ... well impossible to recover.
If your drive is fully encrypted, I strongly suggest that you take a look at cryptsetup luksHeaderBackup
fsck works only on the file system which is withing the encrypted partition. So no that won't work.
Good thing you have backups. Congrats!
https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#6-backup-and-data-recovery
Read the whole section (data and recovery). Doesn't look good.
I recommend you create an askubuntu.com question for your problem before you make irreversable changes. Just in case there is a known bug and your LUKS partition is fine (unlikely but possible).
Yes, it's most likely doable, you'd just have to configure your bootloader to recognize the Windows boot thingies. I'm not that familiar with Windows, but I don't imagine it would be very hard to configure. See the dual-booting section of the GRUB ArchWiki article, for example.
> I would like to encrypt the HDD as well but not sure if it's doable with half ext4 filesystem and half NTFS
You encrypt block devices (i.e. /dev/sda), not filesystems. Thus, if you have two partitions, e.g. /dev/sda1 and /dev/sda2, the first can be encrypted and formatted to ext4 without the other being affected.
However, SSDs with LUKS can be weird. See the LUKS FAQ section 5.19 about this.
Edit - fixed links.
> simply because LUKS wasn't updated for years now, it's still version 1.0 which might become obsolete as computing power increases
The latest version of LUKS/Cryptsetup is 2.0.2. See LUKS/Cryptsetup Project homepage. The Project is well maintained and being regularly updated.
No. Having the masterkey would make a brute force attack on the other passwords possible, but not practical. The algorithms/methods used with the keyslots are essentially the same ones used to encrypt the data.
You can also use LUKS/dm-crypt.
Interfaces nicely with Ubuntu/Unity/nautilus (I'm not sure what actually handles it, it just worked for me).
Windows support will be less official and possibly more work... https://github.com/t-d-k/LibreCrypt (I haven't used it on Windows myself, so someone please tell me if it's absurd to even consider).
It's an encrypted block device, not filesystem. Presumably it's LUKS, for which header backups are recommended but not automatic. Re: gitlab.com/cryptsetup/…/FrequentlyAskedQuestions.
That's pretty loaded... I'd start by looking at the MS Docs for Bitlocker, since the questions you asked depend on the OS you're running:
BitLocker (Windows 10) - Microsoft 365 Security | Microsoft Docs
Once you're on Windows 10, you'd want to be running TPM 2, UEFI w/ Secure Boot.
If you're not using ConfigMgr, you can still use MBAM for compliance monitoring
Microsoft BitLocker Administration and Monitoring 2.5 - Microsoft Desktop Optimization Pack | Microsoft Docs
You'd use Group Policies for Management
If you're using a local account, yes. If you're using a Microsoft account, still yes, but slightly less easily. About the only way around this is to use whole disk encryption, e.g. Bitlocker.
You can use Microsoft Bitlocker to encrypt your drives without a TPM but there are some caveats with it. Here's their FAQ on it: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq
It varies by operating system. If you are on Windows 10, you should look in to BitLocker. It's really the only option I'm aware of for that platform.
First section fourth paragraph. "provides the option", doesn't set it as default.
I would also like to point out that this behaviour is not a bug with dual boot, this is an observable behaviour on all systems I have tried it on.
You're linked picture also shows the "Change how drive is unlocked at startup" option. Try investigating what is set by default before running your mouth.
I kept my insults PG, you insulted my intelligence, now you're swearing. I think you defeated your own point here.
I think you misunderand, I don't use BitLocker for this reason. Due to the as proven behaviour of BitLocker. This also isn't isolated to domained systems.
I didn't address the rest of your comment as it wouldn't have added anything to my previous post.
I'm not ill tempered, I just don't like people on the internet thinking that they know how to do my job, and then questioning my intelligence when they 'think' they know better.
​
I shall address your previous post as requested:
The picture you linked is not from Microsoft and also shows a fixed data drive not a system drive. System drives behave differently as they are the system drive.
The TPM acts as a device based authentication token, much like the option to use a USB device to unlock drives. The TPM just happens to be inside the PC and non removable.
A lot of NDA's do cover IP ownership of any work done whilst under the employ of a company. That is only in so far as to direct your attention to what is covered by the NDA. 'This' belongs to the company, 'this' does not.
​
This site has a bunch of info and links to other mirrors too, so it looks like a good starting point.
Like Natanael says, verify the SHA256 hashes against multiple sources.
Try Truecrypt. The developers stopped, claiming security holes, but a recent audit found no flaws. EDIT: They did find a few flaws, but none that would compromise the encryption in a major way.
If you're using Linux or Cygwin (or Mac?), you can install OpenSSL, which is a very large and widely used crypto package.
To use it, you can type
openssl aes-256-cbc -a -salt -in ABC -out ABC.enc
Where ABC is the name of the folder you want to encrypt. It will ask you for a password, and again to confirm. You can then delete the original folder.
To decrypt it, use
openssl aes-256-cbc -d -a -in ABC.enc -out ABC
again, where ABC is the name of the folder.
If you want to shorten these, paste the following at the bottom of your .bashrc file:
function sslenc { openssl aes-256-cbc -a -salt -in $1 -out $1.enc }
function ssldec { openssl aes-256-cbc -d -a -in $1 -out $(basename $1 .enc) }
you can then use then use the commands
sslenc ABC
and
ssldec ABC.enc
to encrypt and decrypt a file or folder named ABC or ABC.enc, respectively.
The best way to make an encrypted partition that can be accessed on any operating system is still Truecrypt. You can download the latest working version here.
It's simple to make a large container file in your EXFAT partition, and open it with Truecrypt on any computer you use.
Google "Group Policy": there are all kinds of restrictions you can set there that improve security, but it's not something to go mucking about with -- you need a good reference.
But really, if your roommate can Google and is reasonably smart, don't let him have physical control of your laptop. Physical control and it's all over.
Though you can make it harder on him by:
- Using TrueCrypt^1 to protect your boot partition
- Keeping a good, clean backup set so you can easily undo anything local he might do
- using a "decoy OS". One way to do this is to have a Windows install on your hard drive, but boot from one on external media; another is to use TrueCrypt with hidden partition. Look for "Deniable OS"
You're probably better off keeping your laptop physically locked somewhere your roommate won't want to break into.
my pleasure.
if you want to use truecrypt, don't google it, get it from here. if you google it, you'll run into the flurry of controversy and craziness that has happened the past month. suffice it to say, truecrypt is fine to use, dont believe the google results. in short, the guys who created it went crazy.
easy to use PGP can be found here
It's all too possible in this day and age I'm afraid. Luckily, the Source code was released, and to our luck, people like you and me invested a lot of their time into TC. So now, it looks like there may be an arms race of sorts going on in an attempt to get a viable replacement soon. An audit of the code is underway for version 7.1a. Hopefully the code is viable AND safe. If not, I suspect the community will take steps to ensure it is safe. I believe that there is too much energy vested into TC for people to just let it die.
Use a program called Veracrypt.
It can encrypt a flash drive, an entire hard drive, or just create an encrypted "container" file that you can move around like any other file, and add and remove contents from like a virtual flash drive. It doesn't even need installed and can run from a flash drive if you have to.
You can use several different encryption algorithm's, or mix and match. Just don't forget the password...data is unrecoverable.
Obfuscation is not a great way to secure files.
If you have a thumb drive you should consider fully encrypting it with something like https://www.veracrypt.fr/en/Home.html, if you are on windows or Mac OS (most modern Linux distros have such tools built-in).
You will only be able to mount the drive and access its data if you know it's passphrase.
You can then also an image of that disk and then save it some where else as a backup.
If complete privacy is your goal, I would look at setting up encrypted shared drives instead. An approach like this would prevent even the administrator from evening viewing the files. Something like VeraCrypt The only risk is if you loose the key there is no recovery.
> Surely this would mean she'd be able to see all my personal photos without my permission, using Backblaze (even though I thought my photos were locked by my Windows password)
Yes, just like someone could use one admin account to take over access to another and its files (without your permission) or boot your computer into an alternate operating system (like Linux) and access the files that way, or physically remove the hard drive or other storage device and plug it into another computer to access the data there.
If you're worried about someone else accessing your files, relying on the use of different Windows accounts / passwords on the same machine isn't buying you much. This isn't really an issue with Backblaze per se, just the way local Windows accounts and NTFS filesystem permissions work.
If you're worried about someone you share a Windows PC with accessing your data, you need to think about storing it exclusively in a cloud account (Google Photos, iCloud, etc.) that only you have access to or finding a way to encrypt the data such that accessing it requires knowledge that only you possess (like a password / passphrase). This can be achieved with something like https://www.veracrypt.fr/en/Home.html