23 KiB
meta_title, title, icon, description, cover
| meta_title | title | icon | description | cover |
|---|---|---|---|---|
| Recommended Encryption Software: VeraCrypt, Cryptomator, PicoCrypt, and OpenPGP - Privacy Guides | 暗号化ソフトウェア | material/file-lock | データの暗号化は、誰がデータにアクセスできるかをコントロールする唯一の方法です。 These tools allow you to encrypt your emails and any other files. | encryption.webp |
データの暗号化は、誰がデータにアクセスできるかをコントロールする唯一の方法です。 現在、ハードディスクや電子メール、ファイルの暗号化ソフトウェアを使用していない場合は、以下のツールを使いましょう。
複数プラットフォーム
ここに記載されているオプションは複数のプラットフォームに対応しており、データの暗号化バックアップの作成に適しています。
Cryptomator(クラウド)
{ align=right }
Cryptomator is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider.
:octicons-home-16: Homepage{ .md-button .md-button--primary } :octicons-eye-16:{ .card-link title="Privacy Policy" } :octicons-info-16:{ .card-link title=Documentation} :octicons-code-16:{ .card-link title="Source Code" } :octicons-heart-16:{ .card-link title=Contribute }
Cryptomatorは、AES-256を用いて、ファイルとファイル名の両方を暗号化します。 Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders.
Some Cryptomator cryptographic libraries have been audited by Cure53. The scope of the audited libraries includes: cryptolib, cryptofs, siv-mode and cryptomator-objc-cryptor. The audit did not extend to cryptolib-swift, which is a library used by Cryptomator for iOS.
Cryptomator's documentation details its intended security target, security architecture, and best practices for use in further detail.
Picocrypt(ファイル)
{ align=right }
Picocryptは小さくシンプルな暗号化ツールで、最新の暗号化を提供します。 Picocryptは、セキュアなXChaCha20暗号とArgon2idキー派生機能を使用し、高レベルのセキュリティを提供します。 暗号化機能には、Go標準のx/cryptoモジュールを使用しています。
:octicons-repo-16: Repository{ .md-button .md-button--primary } :octicons-code-16:{ .card-link title="Source Code" } :octicons-heart-16:{ .card-link title=Contribute }
VeraCrypt(ディスク)
{ align=right }
{ align=right }
VeraCrypt is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication.
:octicons-home-16: Homepage{ .md-button .md-button--primary } :octicons-info-16:{ .card-link title=Documentation} :octicons-code-16:{ .card-link title="Source Code" } :octicons-heart-16:{ .card-link title=Contribute }
VeraCryptは、終了したTrueCryptプロジェクトのフォークです。 開発者によると、セキュリティの改善が実装されており、最初のTrueCryptコード監査によって提起された問題が解決されています。
VeraCryptで暗号化する場合、異なるハッシュ関数から選択できます。 しかし、SHA-512のみを選ぶことを推奨します。AESブロック暗号以外を使うべきではありません。
Truecrypt has been audited a number of times, and VeraCrypt has also been audited separately.
OSのフルディスク暗号化
For encrypting the drive your operating system boots from, we generally recommend enabling the encryption software that comes with your operating system rather than using a third-party tool. This is because your operating system's native encryption tools often make use of OS and hardware-specific features like the secure cryptoprocessor in your device to protect your computer against more advanced physical attacks. For secondary drives and external drives which you don't boot from, we still recommend using open-source tools like VeraCrypt over the tools below, because they offer additional flexibility and let you avoid vendor lock-in.
BitLocker
{ align=right }
BitLocker is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it for encrypting your boot drive is because of its use of TPM. ElcomSoft, a forensics company, has written about this feature in Understanding BitLocker TPM Protection.
:octicons-info-16:{ .card-link title=Documentation}
BitLocker is only supported on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.
Enabling BitLocker on Windows Home
To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a GUID Partition Table and have a dedicated TPM (v1.2, 2.0+) module. You may need to disable the non-Bitlocker "Device encryption" functionality (which is inferior because it sends your recovery key to Microsoft's servers) if it is enabled on your device already before following this guide.
-
Open a command prompt and check your drive's partition table format with the following command. You should see "GPT" listed under "Partition Style":
powershell Get-Disk -
このコマンドを(管理者コマンドプロンプトで)実行し、TPMのバージョンを確認してください。 You should see
2.0or1.2listed next toSpecVersion:powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm -
Access Advanced Startup Options. You need to reboot while pressing the F8 key before Windows starts and go into the command prompt in Troubleshoot → Advanced Options → Command Prompt.
-
Login with your admin account and type this in the command prompt to start encryption:
manage-bde -on c: -used -
Close the command prompt and continue booting to regular Windows.
-
Open an admin command prompt and run the following commands:
manage-bde c: -protectors -add -rp -tpm manage-bde -protectors -enable c: manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt
Tip
Backup BitLocker-Recovery-Key.txt on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data.
FileVault
{ align=right }
FileVault is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it leverages hardware security capabilities present on an Apple silicon SoC or T2 Security Chip.
:octicons-info-16:{ .card-link title=Documentation}
We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery.
Linux Unified Key Setup
{ align=right }
LUKS is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers.
:octicons-home-16: Homepage{ .md-button .md-button--primary } :octicons-info-16:{ .card-link title=Documentation} :octicons-code-16:{ .card-link title="Source Code" }
Creating and opening encrypted containers
dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress
sudo cryptsetup luksFormat /path-to-file
Opening encrypted containers
We recommend opening containers and volumes with udisksctl as this uses Polkit. Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like udiskie can run in the system tray and provide a helpful user interface.
udisksctl loop-setup -f /path-to-file
udisksctl unlock -b /dev/loop0
Remember to back up volume headers
We recommend you always back up your LUKS headers in case of partial drive failure. This can be done with:
cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img
コマンドライン
Tools with command-line interfaces are useful for integrating shell scripts.
Kryptor
{ align=right }
Kryptor is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of age and Minisign to provide a simple, easier alternative to GPG.
:octicons-home-16: Homepage{ .md-button .md-button--primary } :octicons-eye-16:{ .card-link title="Privacy Policy" } :octicons-info-16:{ .card-link title=Documentation} :octicons-code-16:{ .card-link title="Source Code" } :octicons-heart-16:{ .card-link title=Contribute }
Tomb
{ align=right }
Tomb is a command-line shell wrapper for LUKS. It supports steganography via third-party tools.
:octicons-home-16: Homepage{ .md-button .md-button--primary } :octicons-info-16:{ .card-link title=Documentation} :octicons-code-16:{ .card-link title="Source Code" } :octicons-heart-16:{ .card-link title=Contribute }
OpenPGP
OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is complex as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.
When encrypting with PGP, you have the option to configure different options in your gpg.conf file. We recommend staying with the standard options specified in the GnuPG user FAQ.
Use future defaults when generating a key
When generating keys we suggest using the future-default command as this will instruct GnuPG use modern cryptography such as Curve25519 and Ed25519:
gpg --quick-gen-key alice@example.com future-default
GNU Privacy Guard
{ align=right }
GnuPG is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF specification of OpenPGP. The GnuPG project has been working on an updated draft in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major funding from the German government.
:octicons-home-16: Homepage{ .md-button .md-button--primary } :octicons-eye-16:{ .card-link title="Privacy Policy" } :octicons-info-16:{ .card-link title=Documentation} :octicons-code-16:{ .card-link title="Source Code" }
GPG4win
{ align=right }
GPG4win is a package for Windows from Intevation and g10 Code. It includes various tools that can assist you in using GPG on Microsoft Windows. The project was initiated and originally funded by Germany's Federal Office for Information Security (BSI) in 2005.
:octicons-home-16: Homepage{ .md-button .md-button--primary } :octicons-eye-16:{ .card-link title="Privacy Policy" } :octicons-info-16:{ .card-link title=Documentation} :octicons-code-16:{ .card-link title="Source Code" } :octicons-heart-16:{ .card-link title=Contribute }
Downloads
GPG Suite
Note
We suggest Canary Mail for using PGP with email on iOS devices.
{ align=right }
GPG Suite provides OpenPGP support for Apple Mail and macOS.
We recommend taking a look at their First steps and Knowledge base for support.
:octicons-home-16: Homepage{ .md-button .md-button--primary } :octicons-eye-16:{ .card-link title="Privacy Policy" } :octicons-info-16:{ .card-link title=Documentation} :octicons-code-16:{ .card-link title="Source Code" }
Downloads
OpenKeychain
{ align=right }
OpenKeychain is an Android implementation of GnuPG. It's commonly required by mail clients such as K-9 Mail and FairEmail and other Android apps to provide encryption support. Cure53 completed a security audit of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found here.
:octicons-home-16: Homepage{ .md-button .md-button--primary } :octicons-eye-16:{ .card-link title="Privacy Policy" } :octicons-info-16:{ .card-link title=Documentation} :octicons-code-16:{ .card-link title="Source Code" }
Downloads
規準
**私たちは、推薦するどのプロジェクトとも提携していません。**客観的に推薦できるよう、標準となる規準に加えて、一連の明確な要件を定めています。 プロジェクトを利用する前に、このリストをよく理解し、ご自身で調査を行って、そのプロジェクトがあなたにとって適切な選択かどうかをご確認ください。
This section is new
私たちは、サイトの各項目に関して、定義された規準の確立に取り組んでいます。この規準は変更される可能性があります。 規準について疑問がある場合は、フォーラムで質問してください。また、ここに記載されていない場合でも、私たちがプロジェクトを推奨する際に、そうした事柄を考慮しなかったと仮定するのはお止めください。 プロジェクトを推奨する際に考慮され、議論される要素は多くあり、そのすべてを文書化する作業は現在進行中です。
最低要件
- Cross-platform encryption apps must be open source.
- ファイル暗号化アプリは、Linux、macOS、Windowsでの復号化をサポートするものであること。
- 外部ディスク暗号化アプリは、Linux、macOS、Windowsでの復号化をサポートするものであること。
- 内部(OS)ディスク暗号化アプリは、クロスプラットフォームであるか、OSにネイティブに組み込まれたものであること。
満たされることが望ましい基準
満たされることが望ましい基準には、このカテゴリーの完璧なプロジェクトに私たちが望むものを示しています。 私たちが推薦するプロジェクトは、この機能の一部または全部を含んでいないかもしれませんが、もし含んでいれば、このページで他のプロジェクトよりも上位にランクされるかもしれません。
- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave.
- File encryption apps should have first- or third-party support for mobile platforms.