Comparison of disk encryption software

Comparison of disk encryption software

This is a technical feature comparison of different disk encryption software.

Background information
Name ArchiCrypt Live BestCrypt BitArmor DataControl BitLocker Drive Encryption Bloombase Keyparc CGD CenterTools DriveLock Check Point Full Disk Encryption CrossCrypt Cryptainer CryptArchiver cryptoloop cryptoMill Discryptor DiskCryptor DISK Protect cryptsetup/dmsetup dm-crypt/LUKS DriveCrypt DriveSentry GoAnywhere 2 E4M e-Capsule Private Safe eCryptfs FileVault FileVault 2 FinallySecure Enterprise (SECUDE) FREE CompuSec FreeOTFE GBDE Developer Softwaredevelopment Remus ArchiCrypt Jetico BitArmor Systems Inc. Microsoft Bloombase Roland C. Dowdeswell CenterTools Check Point Software Technologies Ltd Steven Scherrer Cypherix (Secure-Soft India) WinEncrypt ? SEAhawk Cosect Ltd. ntldr Becrypt Ltd Christophe Saout Clemens Fruhwirth (LUKS) SecurStar GmbH DriveSentry Paul Le Roux EISST Ltd. Dustin Kirkland, Tyler Hicks, (formerly Mike Halcrow) Apple Inc. Apple Inc. SECUDE 2008 2007 2001 2004-03-11 2005-02-05 2001 2008 1998-12-18 2005 2005 [11] [10] [8] [9] First released 1998 1993 [1] Licensing Proprietary Proprietary Proprietary Proprietary Proprietary [2] BSD Proprietary Proprietary GPL Proprietary Proprietary [7] GPL Proprietary Proprietary GPL Proprietary GPL GPL Proprietary Proprietary Open source Proprietary GPL Proprietary Proprietary Proprietary Proprietary [12] [13] Open source BSD Maintained? Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes

2008-05 2006 2007 2002-10-04 2008 1999 [3][4][5] [6]

2004-02-10 ? ? 2003-07-02

2003-10-24 2011-7-20 2006

CE-Infosys Sarah Dean Poul-Henning Kamp

2002 2004-10-10 2002-10-19

Comparison of disk encryption software

[14]

2
Pawel Jakub Dawidek

GELI KryptOS loop-AES n-Crypt Pro PGPDisk Private Disk R-Crypto McAfee Endpoint Encryption (SafeBoot) SafeGuard Easy SafeGuard Enterprise SafeGuard PrivateDisk SafeHouse Professional Scramdisk Scramdisk 4 Linux SecuBox SECUDE Secure Notebook SecureDoc Sentry 2020 softraid / RAID C SpyProof! svnd / vnconfig Symantec Endpoint Encryption TrueCrypt Aloaha Secure Stick Name Developer

2005-04-11 2010

BSD Proprietary GPL Proprietary

Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Maintained?

The MorphOS Development Team Jari Ruusu n-Trance Security Ltd PGP Corporation Dekart R-Tools Technology Inc McAfee, Inc.

2001-04-11 2005 1998-09-01 1993 [15]

Proprietary Proprietary Proprietary Proprietary Proprietary Proprietary Proprietary Proprietary Open source GPL Proprietary Proprietary Proprietary Proprietary BSD Proprietary

[16]

2008 2007 [17]

Sophos (Utimaco) Sophos (Utimaco) Sophos (Utimaco) [20]

1993 2007

[18] [19]

2000 1992 1997-07-01 2005-08-06 [21]

PC Dynamics, Inc. Shaun Hollingworth Hans-Ulrich Juettner Aiko Solutions SECUDE WinMagic Inc. SoftWinter OpenBSD Information Security Corp. OpenBSD Symantec Corporation TrueCrypt Foundation

2007-02-19 2003 1997 1998 [22] [23]

2007-11-01 2002 2000-12-01 2008 2004-02-02

[24]

BSD Proprietary

[25]

Proprietary TrueCrypt [26] License 3.0 Proprietary Licensing

Aloaha

2008 First released

Operating systems

Comparison of disk encryption software

Name

Windows NT-based

Pre-Windows NT

Windows Mobile/Pocket PC No No No No No No No Yes No Yes [27]

FreeBSD

Linux

Mac NetBSD OpenBSD DragonFly OS X BSD

ArchiCrypt Live BestCrypt BitArmor DataControl BitLocker Drive Encryption Bloombase Keyparc CenterTools DriveLock CGD Check Point Full Disk Encryption CrossCrypt Cryptainer CryptArchiver cryptoloop Discryptor DiskCryptor DISK Protect cryptsetup/dmsetup dm-crypt/LUKS DriveCrypt DriveSentry GoAnywhere 2 E4M e-Capsule Private Safe eCryptfs FileVault FileVault 2 FREE CompuSec FreeOTFE GBDE GELI loop-AES n-Crypt Pro PGPDisk PGP Whole Disk Encryption Private Disk

Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes [28]

No Yes No No Yes No No No No No No No No No No No No No No Yes No No No No No No No No No No No No Yes

No No No No No No No No No No No No No No No No No No No No No Yes No No No No Yes Yes No No No No No

No Yes No No Yes No No Yes No No No Yes No No No Yes Yes No No No No Yes No No Yes Partial [30]

No Yes No No Yes No No Yes No No No No No No No No No No No No No No Yes Yes No No No No No No Yes Yes No

No No No No No No Yes No No No No No No No No No No No No No No No No No No No No No No No No No No

No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No

No No No No No No No No No No No No No No No Yes Yes No No No No No No No No No No No No No No No No

No No No No No No Yes [29]

Yes Yes Yes Yes Yes [28] [28]

Yes Yes Yes Yes No No No Yes Yes No No No Yes Yes Yes Yes

No No No No No No No No Yes No No No No No No No

No No Yes No No Yes No

Comparison of disk encryption software

4
No No No No No Yes Yes No No No No No No No No No No No No Yes [31] No No No No No No No No No No No No No No No No No [32] No No No No No No Yes Yes No No Yes No No No No No Yes No Linux No Yes No Yes No No No No No No Yes No No No No No Yes No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No No Yes No Yes No No No No No No No No No No No No No No No No No No No No No

R-Crypto McAfee Endpoint Encryption (SafeBoot) SafeGuard Easy SafeGuard Enterprise SafeGuard PrivateDisk SafeHouse Professional Scramdisk Scramdisk 4 Linux SecuBox FinallySecure Enterprise (SECUDE) SecureDoc Sentry 2020 softraid / RAID C SpyProof! svnd / vnconfig Symantec Endpoint Encryption TrueCrypt Aloaha Secure Stick Name

Yes Yes Yes Yes Yes Yes Yes No No Yes Yes Yes No Yes No Yes Yes Yes Windows NT-based

No No No No No No Yes No No No No No No No No No Windows Mobile/Pocket PC

No FreeBSD

Pre-Windows NT

Mac NetBSD OpenBSD DragonFly OS X BSD

Features
Hidden containers: Whether hidden containers (an encrypted container (A) within another encrypted container (B) so the existence of container A can not be established)[33] can be created for deniable encryption. Note that some modes of operation like CBC with a plain IV can be more prone to watermarking attacks than others. Pre-boot authentication: Whether authentication can be required before booting the computer, thus allowing one to encrypt the boot disk. Custom authentication: Whether custom authentication mechanisms can be implemented with third-party applications. Multiple keys: Whether an encrypted volume can have more than one active key. Passphrase strengthening: Whether key strengthening is used with plain text passwords to frustrate dictionary attacks, usually using PBKDF2. Hardware acceleration: Whether dedicated cryptographic accelerator expansion cards can be taken advantage of. Trusted Platform Module: Whether the implementation can use a TPM cryptoprocessor. Filesystems: what filesystems are supported. Two-factor authentication: Whether optional security tokens (hardware security modules, such as Aladdin eToken and smart cards) are supported (for example using PKCS#11)

Comparison of disk encryption software

Name

Hidden Pre-boot Custom containers authentication authentication Yes [34] No No

Multiple keys

Passphrase Hardware strengthening acceleration No No

TPM

Filesystems

Two-factor authentication Yes [34][36]

ArchiCrypt Live BestCrypt

Yes

[34][35]

No

? Any supported by OS NTFS, FAT32 on non-system volumes Chiefly [43] NTFS ? Any supported by OS Any supported by OS ? ? ? Any supported by OS Any supported by OS ? Any supported by OS Any supported by OS ? Any supported by OS ? ? [52] Yes

Yes

Yes

No

Yes

[37]

Yes

Yes

Yes

Yes

[38]

BitArmor DataControl

No

Yes

No

Yes

Yes

No

No

No

BitLocker Drive Encryption Bloombase Keyparc CGD

No

Yes

[39]

Yes

[40]

Yes

[41]

Yes

[42]

Yes

Yes

[41]

Yes

[44]

No

No

Yes

Yes

Yes

Yes

No

No

No

Yes

[45]

Yes

[46]

Yes

[45]

No

No

Yes

[]

CenterTools DriveLock

No

Yes

No

No

Yes

No

No

Yes

Check Point Full Disk Encryption CrossCrypt CryptArchiver cryptoloop

? No No

Yes No No [47]

Yes No No

Yes No No

Yes No ?

? No No

? No No

Yes No ?

No

Yes

Yes

No

No

Yes

No

DiskCryptor No Yes Yes No Yes Yes [48] No

Yes

[48]

DISK Protect cryptsetup/dmsetup

Yes

[49]

Yes

[49]

No

No

Yes

[47]

Yes

No

No

Yes

No

No

dm-crypt/LUKS No Yes [47] Yes Yes Yes Yes No

Yes

DriveCrypt DriveSentry GoAnywhere 2

Yes

[50]

Yes

No

Yes

Yes

No

No

Yes

No

No

Yes

No

Yes

No

Yes

E4M e-Capsule Private Safe eCryptfs

No Yes [51]

No No No

No No Yes

No Yes []

? No Yes

No Yes Yes

No No Yes

No ? Yes

No

Yes

Comparison of disk encryption software

6
? HFS+, possibly others HFS+, possibly others Any supported by OS Any supported by OS Any supported by OS Any supported by OS NTFS, FAT32 Any supported by OS ? ? Any supported by OS Any supported by OS Any supported by OS Any supported by OS Any supported by OS Any supported by OS Any supported by OS

FileVault No No No Two [53] passwords Yes [53]

No

No

FileVault 2 No Yes No Yes Yes Yes [54] No

No

FREE CompuSec No Yes No No No No No

No

FreeOTFE Yes No Yes [55] Yes [56] Yes No No

Yes

GBDE No No [57] Yes Yes [58] No [58] No [57] No

Yes

GELI No Yes [57] Yes Yes [59] Yes [59] Yes [57] No

Yes

GuardianEdge Hard Disk Encryption loop-AES

No

Yes

Yes

Yes

Yes

No

No

Yes

No

Yes

[60]

Yes

[60]

Yes

[60]

Yes

[60]

Yes

[60]

No

Yes

[61]

n-Crypt Pro PGPDisk Private Disk

No No

No Yes [63]

No ?

No Yes

N/A Yes

[62]

No ?

No Yes

? Yes

[64]

No

No

No

Yes

Yes

No

No

Yes

R-Crypto ? No ? ? ? ? ?

McAfee Endpoint Encryption (SafeBoot) SafeGuard Easy

Yes

Yes

Yes

Yes

Yes

Yes

[65]

Yes

Yes

No

Yes

No

Yes

Yes

No

Yes

[66]

Yes

SafeGuard Enterprise

No

Yes

No

Yes

Yes

No

Yes

[66]

Yes

SafeGuard PrivateDisk

No

N/A

No

Yes

Yes

No

Yes

[67]

Yes

SafeHouse Professional

No

No

Yes

Yes

Yes

No

No

Yes

Scramdisk Yes No No No No No No ?

Last update to web site 2009-07-02

Comparison of disk encryption software

7
ext2, ext3, reiserfs, minix, ntfs, vfat/msdos ?

Scramdisk 4 Linux Yes [68] No No No Yes [68] No No

No

SecuBox FinallySecure Enterprise (SECUDE) SecureDoc Sentry 2020 softraid / RAID C

No

No

No

No

Yes

No

No

No

No

Yes

Yes

No

Yes

No

Yes

Yes

No No

Yes

[69]

Yes No

Yes No

Yes No

Yes No

Yes No

? ? Any supported by OS Any supported by OS NTFS, FAT32

Yes No

No

No

No

Yes

svnd / vnconfig No No No No Yes [70] Yes ?

Symantec Endpoint Encryption TrueCrypt

No

Yes

Yes

Yes

Yes

No

No

Yes

Yes (limited to one per "outer" container) Yes

only on [71] Windows

No

yes with multiple [72][73] keyfiles

Yes

Yes

No

Any supported by OS

Yes

Aloaha Secure Stick Name

No

Yes

Yes Multiple keys

No

No

No TPM

NTFS, FAT32 Filesystems

Yes Two-factor authentication

Hidden Pre-boot Custom containers authentication authentication

Passphrase Hardware strengthening acceleration

[1] "Jetico Company Info" (http:/ / www. jetico. com/ company. htm). Jetico. . Retrieved 2007-01-05. [2] Roland Dowdeswell (2002-10-04). "CryptoGraphic Disk" (http:/ / mail-index. netbsd. org/ current-users/ 2002/ 10/ 04/ 0008. html). mailing list announcement. . Retrieved 2007-01-14. [3] Original release as Protect Data Security Inc.'s "Protect!style="background: #ececec; color: black; font-weight: bold; vertical-align: middle; text-align: left; " class="table-rh"|" "Protect guards laptop and desktop data" (http:/ / www. infoworld. com/ cgi-bin/ displayArchive. pl?/ 99/ 25/ c05-25. 48. htm). . Retrieved 2008-09-03. [4] Company and product name change to Pointsec "Protect Data Security Inc. changes name to Pointsec Mobile Technologies Inc." (http:/ / web. archive. org/ web/ 20040820174918/ www. pointsec. com/ news/ news. asp?newsid=85). Archived from the original (http:/ / www. pointsec. com/ news/ news. asp?newsid=85) on 2004-08-20. . Retrieved 2008-09-03. [5] "Check Point Completes the Offer for Protect Data with Substantial Acceptance of 87.1 Percent" (http:/ / www. checkpoint. com/ press/ 2007/ protectdataacquisition011107. html). . Retrieved 2008-09-03. [6] Sarah Dean (2004-02-10). "OTFEDB entry" (http:/ / otfedb. sdean12. org/ cgi-bin/ pub_factsheet. cgi?SYSTEM_ID=46). . Retrieved 2008-08-10. [7] Initial cryptoloop patches for the Linux 2.5 development kernel: http:/ / uwsg. iu. edu/ hypermail/ linux/ kernel/ 0307. 0/ 0348. html [8] dm-crypt was first included in Linux kernel version 2.6.4: http:/ / lwn. net/ Articles/ 75404/ [9] Clemens Fruhwirth. "LUKS version history" (http:/ / luks. endorphin. org/ dm-crypt). . Retrieved 2006-12-24. [10] "archived E4M documentation" (http:/ / web. archive. org/ web/ 20000524061402/ www. e4m. net/ news. html). Archived from the original (http:/ / www. e4m. net/ news. html) on 2000-05-24. .). [11] "eCryptfs" (http:/ / ecryptfs. sourceforge. net). . Retrieved 2008-04-29. [12] "FreeOTFE version history" (http:/ / web. archive. org/ web/ 20061207224351/ http:/ / www. freeotfe. org/ docs/ version_history. htm#version_history). Archived from the original (http:/ / www. freeotfe. org/ docs/ version_history. htm#version_history) on 2006-12-07. . Retrieved 2006-12-24. [13] "gbde(4) man page in FreeBSD 4.11" (http:/ / www. freebsd. org/ cgi/ man. cgi?query=gbde& apropos=0& sektion=4& manpath=FreeBSD+ 5. 0-RELEASE& format=html). GBDE manual page as it appeared in FreeBSD 4.11. . Retrieved 2006-12-24.

Comparison of disk encryption software

[14] "geli(8) man page in FreeBSD 6.0" (http:/ / www. freebsd. org/ cgi/ man. cgi?query=geli& apropos=0& sektion=0& manpath=FreeBSD+ 6. 0-RELEASE& format=html). GELI manual page as it first appeared in FreeBSD 6.0. . Retrieved 2006-12-24. [15] "sh4vm$jbf$1@news.cybercity.dk PGP 6.0 Freeware released- any int'l links? (news:6)". [news:comp.security.pgp comp.security.pgp]. (Web link) (http:/ / groups. google. com/ group/ comp. security. pgp/ msg/ da7ee135c5e99044). Retrieved 2007-01-04. [16] "Dekart Encryption software timeline" (http:/ / www. lazybit. com/ index. php/ a/ 2007/ 04/ 19/ dekart_private_disk_timeline). Dekart. . [17] "McAfee Endpoint Encryption" (http:/ / www. mcafee. com/ us/ enterprise/ products/ data_protection/ data_encryption/ endpoint_encryption. html). product description. McAfee. . Retrieved 2009-03-04. [18] "SafeGuard Easy 4.5 Technical Whitepaper" (http:/ / www. sophos. com/ sophos/ docs/ eng/ factshts/ sophos-safeguard-easy-dsus. pdf). Utimaco. . Retrieved 2009-08-10. [19] "SafeGuard Enterprise Technical Whitepaper" (http:/ / www. sophos. com/ sophos/ docs/ eng/ factshts/ sophos-safeguard-enterprise-dsus. pdf). Utimaco. . Retrieved 2009-08-10. [20] Rebranded as ThinkVantage Client Security "ThinkVantage Technologies Deployment Guide" (ftp:/ / ftp. software. ibm. com/ pc/ pccbbs/ thinkcentre_pdf/ rr30mst. pdf). Lenovo. . Retrieved 2008-03-05. [21] "ScramDisk 4 Linux Releases" (http:/ / sourceforge. net/ project/ showfiles. php?group_id=101952& package_id=109447). . [22] "Sentry 2020 news" (http:/ / www. softwinter. com/ ). . Retrieved 2007-01-02. [23] OpenBSD 4.2 change notes (http:/ / www. openbsd. org/ plus42. html) [24] OpenBSD 2.8 change notes (http:/ / www. openbsd. org/ plus28. html) [25] TrueCrypt version history (http:/ / www. truecrypt. org/ docs/ ?s=version-history2) [26] "TrueCrypt License" (http:/ / www. truecrypt. org/ legal/ license). . Retrieved 2012-02-01. [27] (http:/ / cypherix. com/ downloads. htm) PocketPC freeware release- SmartPhone beta available [28] (http:/ / www. freeotfe. org/ docs/ Main/ Linux_volumes. htm) FreeOTFE supports cryptoloop, dm-crypt/cryptsetup/dmsetup, and dm-crypt/LUKS volumes [29] (http:/ / www. freeotfe. org/ docs/ Main/ Linux_volumes. htm) FreeOTFE4PDA supports dm-crypt/LUKS volumes [30] (http:/ / www. freeotfe. org/ docs/ Main/ Linux_volumes. htm) Supports Linux volumes [31] "Endpoint Encryption Datasheet" (http:/ / www. mcafee. com/ us/ enterprise/ products/ data_protection/ data_encryption/ endpoint_encryption. html). McAfee. . Retrieved 2010-06-14. [32] (http:/ / www. truecrypt. org/ misc/ freebsd) Although TrueCrypt can be built under FreeBSD, it is not recommended to run it because of bugs and instabilities when TrueCrypt is attempted to be used [33] (http:/ / www. jetico. com/ linux/ bcrypt-help/ c_hiddn. htm) Hidden containers description from Jetico (BestCrypt) [34] Secret-containers and Camouflage files ArchiCrypt Live Description (http:/ / www. archicrypt-shop. com/ ArchiCrypt-Live. htm) [35] Supports "Guest" keys [36] Using "Archicrypt Card" [37] Supported by the BestCrypt container format; see BestCrypt SDK [38] Supported by the BestCrypt Volume Encryption software [39] With PIN or USBkey) [40] BitLocker Drive Encryption: Value Add Extensibility Options (http:/ / download. microsoft. com/ download/ a/ f/ 7/ af7777e5-7dcd-4800-8a0a-b18336565f5b/ BitLockerExt. doc) [41] "BitLocker Drive Encryption Technical Overview" (http:/ / technet2. microsoft. com/ windowsserver2008/ en/ library/ ce4d5a2e-59a5-4742-89cc-ef9f5908b4731033. mspx?mfr=true). Microsoft. . Retrieved 2008-03-13. [42] Recovery keys only. [43] Windows 7 introduces Bitlocker-To-Go which supports NTFS, FAT32 or exFAT, however for hard drive encryption, Windows Vista and later are limited to be installable only on NTFS volumes [44] BitLocker can be used with a TPM PIN + external USB key for two-factor authentication [45] Roland C. Dowdeswell, John Ioannidis. "The CryptoGraphic Disk Driver" (http:/ / www. imrryr. org/ ~elric/ cgd/ cgd. pdf) (PDF). CGD design paper. . Retrieved 2006-12-24. [46] Federico Biancuzzi (2005-12-21). "Inside NetBSD's CGD" (http:/ / www. onlamp. com/ pub/ a/ bsd/ 2005/ 12/ 21/ netbsd_cgd. html?page=1). interview with Roland Dowdeswell. ONLamp.com. . Retrieved 2006-12-24. [47] dm-crypt and cryptoloop volumes can be mounted from the initrd before the system is booted [48] "DiskCryptor Features" (http:/ / diskcryptor. net/ wiki/ Main_Page/ en). . Retrieved 2010-05-25. [49] "DISK Protect 4.2 Data Sheet" (http:/ / www. becrypt. com/ us/ downloads/ DISK Protect 4. 2_US. pdf) (PDF). . Retrieved 2008-02-27. [50] "DriveCrypt features" (http:/ / www. securstar. com/ products_drivecrypt. php). SecurStar GmbH. . Retrieved 2007-01-03. [51] "Multi level access with separate access credentials, each enabling a different set of functional or logical operations" (http:/ / www. eisst. com/ products/ private_safe/ compare/ ). EISST Ltd.. . Retrieved 2007-07-25. [52] uses the lower filesystem (stacking) [53] Jacob Appelbaum, Ralf-Philipp Weinmann (2006-12-29) (PDF). Unlocking FileVault: An Analysis of Apple's disk encryption (http:/ / events. ccc. de/ congress/ 2006/ Fahrplan/ attachments/ 1244-23C3VileFault. pdf). . Retrieved 2012-01-03. [54] "Mac OS X 10.7 Lion: the Ars Technica review" (http:/ / arstechnica. com/ apple/ reviews/ 2011/ 07/ mac-os-x-10-7. ars/ 13). Ars Technica. 2011-07-20. . Retrieved 2012-01-03. [55] FreeOTFE has a modular architecture and set of components to allow 3rd party integration

Comparison of disk encryption software

[56] FreeOTFE allows multiple keys to mount the same container file via encrypted keyfiles [57] "FreeBSD Handbook: Encrypting Disk Partitions" (http:/ / www. freebsd. org/ doc/ en_US. ISO8859-1/ books/ handbook/ disks-encrypting. html). . Retrieved 2006-12-24. [58] Poul-Henning Kamp. "GBDE - GEOM Based Disk Encryption" (http:/ / phk. freebsd. dk/ pubs/ bsdcon-03. gbde. paper. pdf) (PDF). GBDE design document. . Retrieved 2006-12-24. [59] "geli(8) man page in FreeBSD-current" (http:/ / www. freebsd. org/ cgi/ man. cgi?query=geli& apropos=0& sektion=0& manpath=FreeBSD+ 7-current& format=html). GELI manual page in current FreeBSD. . Retrieved 2006-12-24. [60] Jari Ruusu. "loop-AES README file" (http:/ / loop-aes. sourceforge. net/ loop-AES. README). . Retrieved 2007-04-23. [61] Using customization [62] n-Crypt Pro does not use password authentication biometric/USB dongle authentication only [63] "PGP Whole Disk Encryption FAQ" (http:/ / www. pgp. com/ products/ wholediskencryption/ faq. html). PGP Corporation. . Retrieved 2006-12-24. [64] PGP private keys are always protected by strengthened passphrases [65] Endpoint Encryption (SafeBoot)ntel.com/cd/00/00/44/77/447708_447708.pdf "Intel Advanced Encryption Standard: New Instructions" (http:/ / cache-www. iMcAfee). Intel. Endpoint Encryption (SafeBoot)ntel.com/cd/00/00/44/77/447708_447708.pdf. Retrieved 2010-06-15. [66] "Embedded Security: Trusted Platform Module Technology Comes of Age" (http:/ / americas. utimaco. com/ encryption/ TPM-Technology-Comes-Of-Age. html). Utimaco. . Retrieved 2008-03-04. [67] "ThinkVantage Technologies Deployment Guide" (http:/ / download. lenovo. com/ ibmdl/ pub/ pc/ pccbbs/ thinkcentre_pdf/ rr30mst. pdf). Lenovo. . Retrieved 2008-03-05. [68] For Truecrypt containers [69] "SecureDoc Product Information" (http:/ / www. winmagic. com/ solutions/ securedoc. html). WinMagic Inc.. . Retrieved 2008-03-05. [70] optional by using -K OpenBSD Manual Pages: vnconfig(8) (http:/ / www. openbsd. org/ cgi-bin/ man. cgi?query=vnconfig& sektion=8) [71] http:/ / www. truecrypt. org/ docs/ sys-encryption-supported-os. php [72] Although each volume encrypted with TrueCrypt can only have one active master key, it is possible to access its contents through more than one header. Each header can have a different password and/or keyfiles if any (cf. TrueCrypt FAQ: Is there a way for an administrator to reset a password when a user forgets it?) [73] http:/ / www. truecrypt. org/ docs/ ?s=keyfiles

Layering
Whole disk: Whether the whole physical disk or logical volume can be encrypted, including the partition tables and master boot record. Note that this does not imply that the encrypted disk can be used as the boot disk itself; refer to "pre-boot authentication" in the features comparison table. Partition: Whether individual disk partitions can be encrypted. File: Whether the encrypted container can be stored in a file (usually implemented as encrypted loop devices). Swap space: Whether the swap space (called a "pagefile" on Windows) can be encrypted individually/explicitly. Hibernation file: Whether the hibernation file is encrypted (if hibernation is supported).
Name ArchiCrypt Live Whole disk Yes (except for the boot volume) Yes No Yes (except for the boot volume) Yes Yes Yes Yes Partition File Swap space Hibernation file

Yes

Yes

No

No

BestCrypt BitArmor DataControl BitLocker Drive Encryption

Yes Yes

Yes No

Yes Yes Yes (parent volume is encrypted) Yes Yes Yes Yes

[1] Yes Yes Yes (parent volume is encrypted) No Yes No Yes

Yes

No

Bloombase Keyparc CenterTools DriveLock CGD Check Point Full Disk Encryption

Yes Yes Yes Yes

Yes Yes [45] Yes ?

Comparison of disk encryption software

10
No No Yes Yes Yes Yes No No No No No No Yes No No Yes Yes Yes Yes [50] Yes Yes Yes No [2] Yes [50] Yes Yes Yes [4] Yes Yes [53] Yes No Yes No No Yes Yes Yes No No No No No [5][53] Yes Yes Yes No No No Yes [3] Yes No No No No No Yes [5][6]

CrossCrypt CryptArchiver cryptoloop DiskCryptor dm-crypt DriveCrypt DriveSentry GoAnywhere 2 E4M e-Capsule Private Safe eCryptfs FileVault FileVault 2 FREE CompuSec FreeOTFE

Yes Yes No No No Yes [54]

Yes Yes

No

Yes (except for the boot volume) Yes Yes Yes Yes Yes Yes No No Yes

Yes

Yes

No

No

GBDE GELI GuardianEdge Hard Disk Encryption loop-AES n-Crypt Pro PGPDisk Private Disk R-Crypto McAfee Endpoint Encryption (SafeBoot) SafeGuard Easy

Yes Yes Yes Yes [60]

[7] Yes [7] Yes Yes [60] Yes Yes Yes Yes Yes Yes extra module Yes Yes Yes Yes Yes Yes Yes Yes Yes

Yes Yes Yes Yes [60]

No No Yes [60] Yes No only on Windows No No [8] Yes Each sector on disk is encrypted Each sector on disk is encrypted No No No No No Yes Yes No

Yes Yes No No Yes

No Yes No No Yes

Yes

Yes

Yes

SafeGuard Enterprise

Yes No No No Yes No Yes Yes [69]

Yes No No Yes Yes No Yes Yes No

Yes No No No Yes N/A Yes Yes No

SafeGuard PrivateDisk SafeHouse Professional Scramdisk Scramdisk 4 Linux SecuBox FinallySecure Enterprise (SECUDE) SecureDoc Sentry 2020

No

Comparison of disk encryption software

11

softraid / RAID C Yes svnd / vnconfig Yes No

Yes (encrypted by default in [9] OpenBSD) Yes (encrypted by default in OpenBSD) No Yes Yes No N/A Swap space

No

? No Yes Yes No Yes Whole disk

Yes Yes Yes Yes No N/A Partition

Yes Yes Yes Yes Yes Yes File

? No Yes only on Windows No N/A Hibernation file [71]

SpyProof! Symantec Endpoint Encryption TrueCrypt Aloaha Secure Stick Cryptomill Name

Modes of operation
Different modes of operation supported by the software. Note that an encrypted volume can only use one mode of operation. CBC with predictable IVs: The CBC (cipher block chaining) mode where initialization vectors are statically derived from the sector number and are not secret; this means that IVs are re-used when overwriting a sector and the vectors can easily be guessed by an attacker, leading to watermarking attacks. CBC with secret IVs: The CBC mode where initialization vectors are statically derived from the encryption key and sector number. The IVs are secret, but they are re-used with overwrites. Methods for this include ESSIV and encrypted sector numbers (CGD). CBC with random per-sector keys: The CBC mode where random keys are generated for each sector when it is written to, thus does not exhibit the typical weaknesses of CBC with re-used initialization vectors. The individual sector keys are stored on disk and encrypted with a master key. (See GBDE for details) LRW: The Liskov-Rivest-Wagner tweakable narrow-block mode, a mode of operation specifically designed for disk encryption. Superseded by the more secure XTS mode due to security concerns.[10] XTS: XEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS), the SISWG (IEEE P1619) standard for disk encryption.
Name CBC w/ predictable IVs CBC w/ secret IVs No Yes Yes [14] Yes Yes [15] Yes ? ? No ? No CBC w/ random per-sector keys No No Plumb-IV No ? No ? ? No ? No LRW XTS

ArchiCrypt Live BestCrypt BitArmor DataControl BitLocker Drive Encryption Bloombase Keyparc CGD CenterTools DriveLock Check Point Full Disk Encryption CrossCrypt CryptArchiver cryptoloop

No No No No [14]

Legacy support Yes [12]

[11]

Yes Yes [13]

No No ? No ? ? No ? No

No No ? No ? ? No ? No

? No ? ? Yes ? Yes

Comparison of disk encryption software

12
No Yes ? ? ? ? Yes No No No Yes No [18] Yes No multi-key-v3 [60] mode ? ? No ? Yes ? ? ? No Yes [68] Yes No ? ? ? ? ? No No No ? ? ? ? ? No No No No [58] Yes No Yes No Yes, using [16] *-lrw-benbi ? ? No ? No No No No Yes No No No Yes Yes, using *-xts-plain ? ? No ? No No Yes [17]

DiskCryptor dm-crypt

No Yes

DriveCrypt DriveSentry GoAnywhere 2 E4M e-Capsule Private Safe eCryptfs FileVault FileVault 2 FREE CompuSec FreeOTFE GBDE GELI GuardianEdge Hard Disk Encryption loop-AES

? ? ? ? No Yes [53]

No Yes Yes No No No single-key, multi-key-v2 [60] modes ? ? Yes ? No ? ? ? Yes No No Yes ? ? ? ? ? No

No Yes No Yes No

No No ? Yes ? No ? ? ? No No No No ? ? ? ? ? Yes

No No ? No ? No ? ? ? No No Yes [68]

No No ? No ? No ? ? ? No No Yes [68]

n-Crypt Pro PGPDisk Private Disk R-Crypto McAfee Endpoint Encryption (SafeBoot) SafeGuard Easy SafeGuard Enterprise SafeGuard PrivateDisk SafeHouse Professional Scramdisk Scramdisk 4 Linux SecuBox FinallySecure Enterprise (SECUDE) SecureDoc Sentry 2020 softraid / RAID C svnd / vnconfig Symantec Endpoint Encryption

No ? ? ? ? ? No

No ? ? ? Yes [19]

? No

Comparison of disk encryption software

[20] [21] [22]

13

TrueCrypt Aloaha Secure Stick Name

Legacy support No

No No CBC w/ secret IVs

No No CBC w/ random per-sector keys

Legacy support Yes LRW

Yes

Yes XTS

CBC w/ predictable IVs

Notes and references

[1] http:/ / www. jetico. com/ data-protection-encryption-bestcrypt-volume-encryption-enterprise/ [2] dm-crypt can encrypt a file-based volume when used with the losetup utility included with all major Linux distributions [3] yes, but the user needs custom scripts: http:/ / www. linuxquestions. org/ questions/ slackware-14/ luks-encryption-swap-and-hibernate-627958/ [4] Uses proprietary e-Capsule file system not exposed to the OS. [5] not technically part of FileVault, but provided by many versions of Mac OS X; can be enabled independently of FileVault [6] http:/ / macmarshal. com/ images/ Documents/ mm_wp_102. pdf [7] File-based volume encryption is possible when used with mdconfig(8) (http:/ / www. freebsd. org/ cgi/ man. cgi?query=mdconfig& sektion=8) utility. [8] "Control Break Internation Debuts SafeBoot Version 4.27" (http:/ / www. entrepreneur. com/ tradejournals/ article/ 120829729. html). . Retrieved 2008-08-12. [9] http:/ / www. openbsd. org/ plus38. html OpenBSD 3.8 change notes [10] LRW_issue [11] Containers created with ArchiCrypt Live version 5 use LRW [12] "New features in BestCrypt version 8" (http:/ / www. jetico. com/ bc8_web_help/ html/ 03_new_features/ 01_new_features. htm). Jetico. . Retrieved 2007-03-02. [13] "New features in version 2" (http:/ / www. jetico. com/ bcve_web_help/ html/ 01_introduction/ 04_new_in_version. htm). Jetico. . Retrieved 2009-03-01. [14] Niels Fergusson (August 2006). AES-CBC + Elephant Diffuser: A Disk Encryption Algorithm for Windows Vista (http:/ / download. microsoft. com/ download/ 0/ 2/ 3/ 0238acaf-d3bf-4a6d-b3d6-0a0be4bbb36e/ BitLockerCipher200608. pdf). Microsoft. . Retrieved 2008-02-22. [15] "man 4 cgd in NetBSD-current" (http:/ / netbsd. gw. com/ cgi-bin/ man-cgi?cgd+ 4+ NetBSD-current). NetBSD current manual page on CGD. 2006-03-11. . Retrieved 2006-12-24. [16] Starting with Linux kernel version 2.6.20, CryptoAPI supports the LRW mode: http:/ / lwn. net/ Articles/ 213650/ [17] "OS X Lion: About FileVault 2" (http:/ / support. apple. com/ kb/ HT4790). . Retrieved 2011-1-3. [18] "Linux/BSD disk encryption comparison" (http:/ / mareichelt. de/ pub/ notmine/ linuxbsd-comparison. html). . Retrieved 2006-12-24. [19] Commit enabling AES XTS (http:/ / marc. info/ ?l=openbsd-cvs& m=121302798322835& w=2) [20] Containers created with TrueCrypt versions 1.0 through 4.0 use CBC. [21] Containers created with TrueCrypt versions 4.1 through 4.3a use LRW, and support CBC for opening legacy containers only. [22] Containers created with TrueCrypt versions 5.0 or later use XTS, and support LRW/CBC for opening legacy containers only.

External links
On-The-Fly Encryption: A Comparison (http://otfedb.sdean12.org/) - A much larger comparison of disk encryption software, sorted by OS

Article Sources and Contributors

14

Article Sources and Contributors

Comparison of disk encryption software Source: http://en.wikipedia.org/w/index.php?oldid=483046577 Contributors: Afagelson, Alzadude, AniLoveBe, ArnoldReinhold, Athaba, Aughtandzero, Baonh, BobBagwill, Burns flipper, Cakruege, Cooldude7273, Cosect, Cralar, Cronopios, Davidbengtenglund, Deridian, Eagering, Edificant, Edrarsoric, Elric imrryr.org, Engst03, Erth64net, Exlade, Eyakovlev, FT2, Family Guy Guy, FleetCommand, Floptimusprime, Foxius, Gadget850, Gr.wiki, Gr8dude, H8gaR, Haakon, Hashproduct, Hholst, Ido50, Infosyssg, Intgr, Irky, JForget, Jengelh, Jhartmann, John Yesberg, Judsonp, Kasperd, KillerCommz, Kimchi.sg, Knguyeniii, Kvi83, LinuxAngel, Lisfire, Masgatotkaca, Mbor, Mcannella, Mdwh, MichaelPloujnikov, Mike A Quinn, Mirrakor, Moonradar, Moziru, Nichlas, Nickp99, Nuwewsco, OlavN, P6910, Pabj, Pabouk, ParanoidMike, Pavritch, Pgruntkowski, R0mashka1, Raftermast, Reisio, Rich Farmbrough, Rina Fey, Rjwilmsi, Ronz, SGGH, SafeBoot, Shtraue, Snorgy, Socrates2008, Splitmode, Spoon!, Stephenchou0722, Timmaliyil, Tmaliyil, Toddst1, Trasz, Tschink, Unschool, Utimaco, Wererooster, Woken Wanderer, XFireRaidX, Xnquist, Yarikoptic, Zollerriia, Zurtitto, 260 anonymous edits

License
Creative Commons Attribution-Share Alike 3.0 Unported //creativecommons.org/licenses/by-sa/3.0/