20 KiB
title, description
| title | description |
|---|---|
| Encryption Software | Encryption of data is the only way to control who can access it. These tools allow you to encrypt your emails and any other files. |
Encryption is the only secure way to control who can access your data. If you are currently not using encryption software for your hard disk, emails, or files, you should pick an option here.
Multi-platform
The options listed here are available on multiple platforms and great for creating encrypted backups of your data.
Cryptomator (Cloud)
Protects against the following threat(s): {{< badge content="Passive Attacks" color="amber" >}}
Cryptomator is an encryption solution designed for privately saving files to any cloud :material-server-network: Service Provider{ .pg-teal }, eliminating the need to trust that they won't access your files. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider.
{{< cards >}} {{< card link="https://cryptomator.org" title="Homepage" icon="home" >}} {{< card link="https://cryptomator.org/privacy" title="Privacy Policy" icon="eye" >}} {{< /cards >}}
{{< badge content="Linux" color="yellow" >}} {{< badge content="macOS" color="indigo" >}} {{< badge content="Windows" color="red" >}} {{< badge content="Google Play" color="green" >}} {{< badge content="App Store" color="blue" >}} {{< badge content="Android" >}} {{< badge content="Flathub" >}}
Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders.
Cryptomator is free to use on all desktop platforms, as well as on iOS in "read only" mode. Cryptomator offers paid apps with full functionality on iOS and Android. The Android version can be purchased anonymously via ProxyStore.
Some Cryptomator cryptographic libraries have been audited by Cure53. The scope of the audited libraries includes: cryptolib, cryptofs, siv-mode and cryptomator-objc-cryptor. The audit did not extend to cryptolib-swift, which is a library used by Cryptomator for iOS.
Cryptomator's documentation details its intended security target, security architecture, and best practices for use in further detail.
VeraCrypt (Disk)
Protects against the following threat(s): {{< badge content="Targeted Attacks" color="red" >}}
VeraCrypt is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication.
{{< cards >}} {{< card link="https://veracrypt.fr" title="Homepage" icon="home" >}} {{< card link="https://veracrypt.fr/en/Documentation.html" title="Documentation" icon="document-text" >}} {{< /cards >}}
{{< badge content="Linux" color="yellow" >}} {{< badge content="macOS" color="indigo" >}} {{< badge content="Windows" color="red" >}}
VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
When encrypting with VeraCrypt, you have the option to select from different hash functions. We suggest you only select SHA-512 and stick to the AES block cipher.
TrueCrypt has been audited a number of times, and VeraCrypt has also been audited separately.
Operating System Encryption
Protects against the following threat(s): {{< badge content="Targeted Attacks" color="red" >}}
Built-in OS encryption solutions generally leverage hardware security features such as a secure cryptoprocessor. Therefore, we recommend using the built-in encryption solutions for your operating system. For cross-platform encryption, we still recommend cross-platform tools for additional flexibility and to avoid vendor lock-in.
Shut devices down when not in use.
Powering off your devices when they’re not in use provides the highest level of security, as it minimizes the attack surface of your FDE method by ensuring no encryption keys remain in memory.
BitLocker
BitLocker is the full volume encryption solution bundled with Microsoft Windows that uses the Trusted Platform Module (TPM) for hardware-based security.
{{< cards >}} {{< card link="https://support.microsoft.com/en-us/windows/bitlocker-overview-44c0c61c-989d-4a69-8822-b95cd49b1bbf" title="Overview" icon="home" >}} {{< card link="https://learn.microsoft.com/windows/security/information-protection/BitLocker/BitLocker-overview" title="Documentation" icon="document-text" >}} {{< /cards >}}
BitLocker is officially supported on the Pro, Enterprise, and Education editions of Windows. The Home edition only supports automatic Device Encryption and must meet specific hardware requirements. If you’re using the Home edition, we recommend upgrading to Pro, which can be done without reinstalling Windows or losing your files.
Pro and higher editions also support the more secure pre-boot TPM+PIN feature, configured through the appropriate group policy settings. The PIN is rate limited and the TPM will panic and lock access to the encryption key either permanently or for a period of time if someone attempts to brute force access.
FileVault
FileVault is the on-the-fly volume encryption solution built into macOS. FileVault takes advantage of the hardware security capabilities present on an Apple Silicon SoC or T2 Security Chip.
{{< cards >}} {{< card link="https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac" title="Documentation" icon="document-text" >}} {{< card link="https://support.apple.com/guide/security/welcome/web" title="Platform Security" icon="home" >}} {{< /cards >}}
We advise against using your iCloud account for recovery; instead, you should securely store a local recovery key on a separate storage device.
Linux Unified Key Setup
LUKS is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers.
{{< cards >}} {{< card link="https://gitlab.com/cryptsetup/cryptsetup" title="Repository" icon="code" >}} {{< card link="https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home" title="Documentation" icon="document-text" >}} {{< /cards >}}
Creating and opening encrypted containers
dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress
sudo cryptsetup luksFormat /path-to-file
Opening encrypted containers
We recommend opening containers and volumes with udisksctl as this uses Polkit. Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like udiskie can run in the system tray and provide a helpful user interface.
udisksctl loop-setup -f /path-to-file
udisksctl unlock -b /dev/loop0
Important
We recommend you always back up your LUKS headers in case of partial drive failure. This can be done with:
cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img
Command-line
Protects against the following threat(s): {{< badge content="Targeted Attacks" color="red" >}}
Tools with command-line interfaces are useful for integrating shell scripts.
Kryptor
Kryptor is a free and open-source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of age and Minisign to provide a simple, easier alternative to GPG.
{{< cards >}} {{< card link="https://kryptor.co.uk" title="Homepage" icon="home" >}} {{< card link="https://kryptor.co.uk/features#privacy" title="Privacy Policy" icon="eye" >}} {{< /cards >}}
{{< badge content="Linux" color="yellow" >}} {{< badge content="macOS" color="indigo" >}} {{< badge content="Windows" color="red" >}}
Tomb
Tomb is a command-line shell wrapper for LUKS. It supports steganography via third-party tools.
{{< cards >}} {{< card link="https://dyne.org/software/tomb" title="Homepage" icon="home" >}} {{< card link="https://github.com/dyne/Tomb/wiki" title="Documentation" icon="document-text" >}} {{< /cards >}}
OpenPGP
Protects against the following threat(s): {{< badge content="Targeted Attacks" color="red" >}} {{< badge content="Passive Attacks" color="amber" >}} {{< badge content="Service Providers" color="indigo" >}}
OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is complex as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.
When encrypting with PGP, you have the option to configure different options in your gpg.conf file. We recommend staying with the standard options specified in the GnuPG user FAQ.
Tip
When generating keys we suggest using the
future-defaultcommand as this will instruct GnuPG use modern cryptography such as Curve25519 and Ed25519:gpg --quick-gen-key alice@example.com future-default
GNU Privacy Guard
GnuPG is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF specification of OpenPGP. The GnuPG project has been working on an updated draft in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major funding from the German government.
{{< cards >}} {{< card link="https://gnupg.org" title="Homepage" icon="home" >}} {{< card link="https://gnupg.org/privacy-policy.html" title="Privacy Policy" icon="eye" >}} {{< /cards >}}
{{< badge content="Linux" color="yellow" >}} {{< badge content="macOS" color="indigo" >}} {{< badge content="Windows" color="red" >}}
GPG4win
GPG4win is a package for Windows from Intevation and g10 Code. It includes various tools that can assist you in using GPG on Microsoft Windows. The project was initiated and originally funded by Germany's Federal Office for Information Security (BSI) in 2005.
{{< cards >}} {{< card link="https://gpg4win.org" title="Homepage" icon="home" >}} {{< card link="https://gpg4win.org/privacy-policy.html" title="Privacy Policy" icon="eye" >}} {{< /cards >}}
{{< badge content="Windows" color="red" >}}
GPG Suite
GPG Suite provides OpenPGP support for Apple Mail and other email clients on macOS.
We recommend taking a look at their First steps and Knowledge Base for support.
{{< cards >}} {{< card link="https://gpgtools.org" title="Homepage" icon="home" >}} {{< card link="https://gpgtools.org/privacy" title="Privacy Policy" icon="eye" >}} {{< /cards >}}
{{< badge content="macOS" color="indigo" >}}
Currently, GPG Suite does not yet have a stable release for macOS Sonoma and later.
OpenKeychain
OpenKeychain is an implementation of GnuPG for Android. It's commonly required by mail clients such as Thunderbird, FairEmail, and other Android apps to provide encryption support.
{{< cards >}} {{< card link="https://openkeychain.org" title="Homepage" icon="home" >}} {{< card link="https://openkeychain.org/help/privacy-policy" title="Privacy Policy" icon="eye" >}} {{< /cards >}}
{{< badge content="Google Play" color="green" >}}
Cure53 completed a security audit of OpenKeychain 3.6 in October 2015. The published audit and OpenKeychain's solutions to the issues raised in the audit can be found here.
Criteria
Please note we are not affiliated with any of the projects we recommend. In addition to our standard criteria, we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
Minimum Qualifications
- Cross-platform encryption apps must be open source.
- File encryption apps must support decryption on Linux, macOS, and Windows.
- External disk encryption apps must support decryption on Linux, macOS, and Windows.
- Internal (OS) disk encryption apps must be cross-platform or built in to the operating system natively.
Best-Case
Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
- Operating System (FDE) encryption apps should utilize hardware security such as a TPM or Secure Enclave.
- File encryption apps should have first- or third-party support for mobile platforms.