Comparison of disk encryption software

This is a technical feature comparison of different disk encryption software.

Background information

Operating systems

Features

• Hidden containers: Whether hidden containers (an encrypted container (A) within another encrypted container (B) so the existence of container A can not be established)^[56] can be created for deniable encryption. Note that some modes of operation like CBC with a plain IV can be more prone to watermarking attacks than others.
• Pre-boot authentication: Whether authentication can be required before booting the computer, thus allowing one to encrypt the boot disk.
• Single sign-on: Whether credentials provided during pre-boot authentication will automatically log the user into the host operating system, thus preventing password fatigue and reducing the need to remember multiple passwords.
• Custom authentication: Whether custom authentication mechanisms can be implemented with third-party applications.^{[clarification needed]}
• Multiple keys: Whether an encrypted volume can have more than one active key.
• Passphrase strengthening: Whether key strengthening is used with plain text passwords to frustrate dictionary attacks, usually using PBKDF2.
• Hardware acceleration: Whether dedicated cryptographic accelerator expansion cards can be taken advantage of.
• Trusted Platform Module: Whether the implementation can use a TPM cryptoprocessor.
• Filesystems: what filesystems are supported.
• Two-factor authentication: Whether optional security tokens (hardware security modules, such as Aladdin eToken and smart cards) are supported (for example using PKCS#11)

<templatestyles src="Reflist/styles.css" />

Layering

Lua error in Module:Details at line 30: attempt to call field '_formatLink' (a nil value).

• Whole disk: Whether the whole physical disk or logical volume can be encrypted, including the partition tables and master boot record. Note that this does not imply that the encrypted disk can be used as the boot disk itself; refer to "pre-boot authentication" in the features comparison table.
• Partition: Whether individual disk partitions can be encrypted.
• File: Whether the encrypted container can be stored in a file (usually implemented as encrypted loop devices).
• Swap space: Whether the swap space (called a "pagefile" on Windows) can be encrypted individually/explicitly.
• Hibernation file: Whether the hibernation file is encrypted (if hibernation is supported).

Modes of operation

Lua error in Module:Details at line 30: attempt to call field '_formatLink' (a nil value).

Different modes of operation supported by the software. Note that an encrypted volume can only use one mode of operation.

• CBC with predictable IVs: The CBC (cipher block chaining) mode where initialization vectors are statically derived from the sector number and are not secret; this means that IVs are re-used when overwriting a sector and the vectors can easily be guessed by an attacker, leading to watermarking attacks.
• CBC with secret IVs: The CBC mode where initialization vectors are statically derived from the encryption key and sector number. The IVs are secret, but they are re-used with overwrites. Methods for this include ESSIV and encrypted sector numbers (CGD).
• CBC with random per-sector keys: The CBC mode where random keys are generated for each sector when it is written to, thus does not exhibit the typical weaknesses of CBC with re-used initialization vectors. The individual sector keys are stored on disk and encrypted with a master key. (See GBDE for details)
• LRW: The Liskov-Rivest-Wagner tweakable narrow-block mode, a mode of operation specifically designed for disk encryption. Superseded by the more secure XTS mode due to security concerns.^[126]
• XTS: XEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS), the SISWG (IEEE P1619) standard for disk encryption.

See also

• Cold boot attack
• Comparison of encrypted external drives
• Disk encryption software
• Disk encryption theory
• List of cryptographic file systems

Notes and references

<templatestyles src="Reflist/styles.css" />

External links

• DiskCryptor vs Truecrypt - Comparison in between DiskCryptor and Truecrypt
• Buyer's Guide to Full Disk Encryption - Overview of full-disk encryption, how it works, and how it differs from file-level encryption—plus an overview of leading full-disk encryption software.

• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Original release as Protect Data Security Inc.'s "Protect!style="background: #ececec; color: black; font-weight: bold; vertical-align: middle; text-align: left; " class="table-rh"|"Lua error in package.lua at line 80: module 'strict' not found.^{[dead link]}
• ↑ Company and product name change to Pointsec Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Initial cryptoloop patches for the Linux 2.5 development kernel: http://uwsg.iu.edu/hypermail/linux/kernel/0307.0/0348.html
• ↑ dm-crypt was first included in Linux kernel version 2.6.4: http://lwn.net/Articles/75404/
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.).
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Rebranded as ThinkVantage Client Security Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ OpenBSD 4.2 change notes
• ↑ OpenBSD 2.8 change notes
• ↑ [1]
• ↑ Trend Micro
• ↑ [2]
• ↑ TrueCrypt version history
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ VeraCrypt version history
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ http://www.jetico.com/products/enterprise-data-protection/bestcrypt-volume-encryption
• ↑ ^{39.0 39.1} [3] FUSE driver to read/write Windows' BitLocker-ed volumes under Linux / Mac OSX
• ↑ http://www.checkpoint.com/products/full-disk-encryption/DS_FullDisk_Encryption_120614.pdf
• ↑ [4] Although CipherShed can be built under FreeBSD, it is not recommended to run it because of bugs and instabilities when CipherShed is attempted to be used
• ↑ [5] Third party app allows to open containers encryptes with AES-256, SHA-512 hash and FAT file system
• ↑ [6] PocketPC freeware release- SmartPhone beta available
• ↑ ^{44.0 44.1 44.2} [7] FreeOTFE supports cryptoloop, dm-crypt/cryptsetup/dmsetup, and dm-crypt/LUKS volumes
• ↑ [8] FreeOTFE4PDA supports dm-crypt/LUKS volumes
• ↑ [9] libfvde supports reading FileVault2 Drive Encryption (FVDE) encrypted volumes
• ↑ [10] Supports Linux volumes
• ↑ [11] Supports Linux volumes
• ↑ [12] Third party app allows a user to open LibreCrypt compatible LUKS containers
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ [13] The current version of SEE (8.2.1) does not support Windows 8.
• ↑ http://www.symantec.com/endpoint-encryption/system-requirements/
• ↑ [14] Although TrueCrypt can be built under FreeBSD, it is not recommended to run it because of bugs and instabilities when TrueCrypt is attempted to be used
• ↑ [15] Third party app allows to open containers encryptes with AES-256, SHA-512 hash and FAT file system
• ↑ [16] Third party app allows to encrypt and decrypt VeraCrypt containers (only available in the paid version)
• ↑ [17] Hidden containers description from Jetico (BestCrypt)
• ↑ ^{57.0 57.1 57.2} Secret-containers and Camouflage files ArchiCrypt Live Description
• ↑ Supports "Guest" keys
• ↑ Using "Archicrypt Card"
• ↑ Supported by the BestCrypt container format; see BestCrypt SDK
• ↑ Supported by the BestCrypt Volume Encryption software
• ↑ With PIN or USB key)
• ↑ BitLocker Drive Encryption: Value Add Extensibility Options
• ↑ ^{64.0 64.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Recovery keys only.
• ↑ ^{66.0 66.1 66.2 66.3} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Although each volume encrypted with CipherShed can only have one active master key, it is possible to access its contents through more than one header. Each header can have a different password and/or keyfiles if any (cf. TrueCrypt FAQ: Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)?)
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{72.0 72.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{73.0 73.1 73.2} dm-crypt and cryptoloop volumes can be mounted from the initrd before the system is booted
• ↑ ^{74.0 74.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{75.0 75.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{77.0 77.1 77.2} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{78.0 78.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ uses the lower filesystem (stacking)
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{81.0 81.1 81.2 81.3 81.4} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{82.0 82.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ FreeOTFE has a modular architecture and set of components to allow 3rd party integration
• ↑ FreeOTFE allows multiple keys to mount the same container file via encrypted keyfiles
• ↑ ^{85.0 85.1 85.2 85.3} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{86.0 86.1 86.2} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{87.0 87.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{88.00 88.01 88.02 88.03 88.04 88.05 88.06 88.07 88.08 88.09 88.10} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Using customization
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ n-Crypt Pro does not use password authentication— biometric/USB dongle authentication only
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ PGP private keys are always protected by strengthened passphrases
• ↑ ^{95.0 95.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{97.0 97.1} For Truecrypt containers
• ↑ ^{98.0 98.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ optional by using -K OpenBSD Manual Pages: vnconfig(8)
• ↑ http://docs.trendmicro.com/en-us/enterprise/endpoint-encryption.aspx
• ↑ http://esupport.trendmicro.com/solution/en-US/1058686.aspx
• ↑ http://esupport.trendmicro.com/solution/en-US/1059884.aspx
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Although each volume encrypted with TrueCrypt can only have one active master key, it is possible to access its contents through more than one header. Each header can have a different password and/or keyfiles if any (cf. TrueCrypt FAQ: Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)?)
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ http://www.jetico.com/data-protection-encryption-bestcrypt-volume-encryption-enterprise/
• ↑ Within a VHD http://www.howtogeek.com/193013/how-to-create-an-encrypted-container-file-with-bitlocker-on-windows/
• ↑ dm-crypt can encrypt a file-based volume when used with the losetup utility included with all major Linux distributions
• ↑ yes, but the user needs custom scripts: http://www.linuxquestions.org/questions/slackware-14/luks-encryption-swap-and-hibernate-627958/
• ↑ Uses proprietary e-Capsule file system not exposed to the OS.
• ↑ ^{117.0 117.1} not technically part of FileVault, but provided by many versions of Mac OS X; can be enabled independently of FileVault
• ↑ http://macmarshal.com/images/Documents/mm_wp_102.pdf
• ↑ http://support.apple.com/kb/HT4790?viewlocale=en_US&locale=en_US
• ↑ ^{120.0 120.1} File-based volume encryption is possible when used with mdconfig(8) utility.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ http://www.openbsd.org/plus38.html OpenBSD 3.8 change notes
• ↑ however, not Windows UEFI-based computers with a GUID partition table (GPT)
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ LRW_issue
• ↑ Containers created with ArchiCrypt Live version 5 use LRW
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ ^{130.0 130.1} Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Containers created with TrueCrypt versions 1.0 through 4.0 use CBC.
• ↑ Containers created with TrueCrypt versions 4.1 through 4.3a use LRW, and support CBC for opening legacy containers only.
• ↑ Containers created with CipherShed or TrueCrypt versions 5.0+ use XTS, and support LRW/CBC for opening legacy containers only.
• ↑ Starting with Linux kernel version 2.6.20, CryptoAPI supports the LRW mode: http://lwn.net/Articles/213650/
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ Lua error in package.lua at line 80: module 'strict' not found.
• ↑ For Scramdisk containers
• ↑ For Truecrypt 4 containers
• ↑ For Truecrypt 5 and 6 containers
• ↑ Commit enabling AES XTS
• ↑ Containers created with TrueCrypt versions 1.0 through 4.0 use CBC.
• ↑ Containers created with TrueCrypt versions 4.1 through 4.3a use LRW, and support CBC for opening legacy containers only.
• ↑ Containers created with TrueCrypt versions 5.0 or later use XTS, and support LRW/CBC for opening legacy containers only.

Cite error: <ref> tags exist for a group named "Note", but no corresponding <references group="Note"/> tag was found, or a closing </ref> is missing