Data protection is an imperative aspect of digital security for both businesses and individuals. In this new remote work environment brought on by COVID-19, securing one’s private data is more critical than ever.
Linux handles this issue far better than Windows or MacOS due to its transparent open-source code and the passionate global community constantly reviewing it. With so many astute eyes on Linux source code, security vulnerabilities are quickly detected and solved - which is why those looking for a highly secure OS often turn to Linux.
That being said, this doesn’t mean that your Linux computer is 100% unhackable. In fact, the growing popularity of Linux is making the OS an increasingly popular target among malicious hackers. Thus, it never hurts to add a layer of privacy in the form of file and disk encryption.
File and disk encryption makes your data unreadable and unusable even if your computer does get hacked. In this article we explore the eight best file and disk encryption tools for Linux.
CryFS is a free and open-source cloud-based tool that lets you encrypt your files and store them anywhere. Setting it up is a breeze and it is compatible with popular cloud services like Dropbox, iCloud, OneDrive, among many others. CryFS works in the background - so you won’t notice it when accessing your files.
This tool doesn’t just encrypt your files- it also encrypts your file sizes, metadata, and directory structure.
The base directory contains a configuration file with the information CryFS requires to decrypt it. This configuration file is encrypted twice: once with aes-256-gcm and once with your chosen password. This same password will also be used for integrity checks.
Cryptmount is a user-friendly open-source encryption tool aimed at Linux users running the 2.6 and later kernel series. It lets beginners encrypt a specific filing system without requiring superuser privileges.
Cryptmount uses the dev mapper mechanism, which offers many options for creating encrypted filesystems. This offers several advantages such as letting you access improved functionality in the kernel, transparent support for filesystems stored on either raw disk partitions or loopback files, separate encryption of filesystem access keys which allows access passwords to be changed without re-encrypting the entire filesystem, as well as letting you store multiple encrypted filesystems within a single disk partition, using a designated subset of blocks for each.
You can learn how to install and configure Cryptmount on your Linux system in this brief tutorial.
Cryptsetup is an open-source utility made to easily allow users to set up disk encryption based
on the DMCrypt kernel module. This module includes plain dm-crypt volumes, LUKS volumes, loop-AES, TrueCrypt (including VeraCrypt extension), and BitLocker formats.
It uses the standard LUKS (Linux Unified Key Setup) design to protect against low entropy attacks and provide multiple keys support and effective passphrase revocation. The use of LUKS also allows compatibility among distributions as well as multiple password security. LUKS stores all necessary setup information in the partition header, allowing users to easily transport or migrate data.
eCryptfs is a free, open-source, cryptographic filesystem for Linux. You can think of it as “GnuPG as a filesystem”.
The filesystem stores cryptographic metadata in each file’s header, which allows for the copying of encrypted files between hosts. These encrypted files can then be decrypted with the corresponding key in the Linux kernel keyring.
This tool has been part of the Linux kernel since version 2.6.19 and is used in Google Chrome, as the basis for Ubuntu's Encrypted Home Directory and in several network-attached storage (NAS) devices.
EncFSMP is a free and (mostly) open-source tool for mounting EncFS folders on Mac OS X and Windows. This tool lets you create, edit, export and change your EncFS folder passphrases. EncFSMP is perfectly compatible with EncFS 1.7.4 on Linux.
With EncFSMP, you’ll find that configuration is stored in the working directory in the form of a dotfile (.encfs6.xml). Since all other metadata is stored in the configuration file, you conveniently only need to remember your passphrase.
EncFSMP is usable for Dropbox and other cloud storage platforms, since it encrypts on a per-file basis.
GnuPG (aka GPG or Gnu Privacy Guard) is a free and open-source implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). It was engineered to replace Symantec’s PGP cryptographic software suite.
This tool supports several types of encryption algorithms including public-key cryptography (RSA EIGamal, DSA), symmetrical key algorithms (Blowfish, AES, IDEA, etc), cryptographic hash functions (RIPEMD, SHA) and compression (ZIP, ZLIB, BZIP2).
GnuPG also lets you encrypt and decrypt files from the command line and comes with a collection of frontend applications and libraries. Additionally, it features a versatile key management system along with access modules for a wide range of public key directories.
You can learn how to encrypt and decrypt files with GPG on Linux in this detailed tutorial.
Gostcrypt, a fork of the now discontinued Truecrypt project, is a free and open-source cryptographic tool for Linux, Windows and MacOS. It currently uses the GOST 28147-89 algorithm, but is planning to move to GOST Grasshopper since the release of version 1.3.1.
The Grasshopper algorithm aims to supersede the current GOST 28147-89 algorithm (64-bit block and 256-bit key, Feistel structure). Unlike the GOST 28147-89 algorithm, GOST Grasshopper belongs to the SPN (Substitution Permutation Network) family. This features 128-bit blocks (plaintext, ciphertext) and a 256-bit master key from which 10 128-bit subkeys can be derived.
TOMB is a free and open-source encryption and backup tool for GNU/Linux systems. It’s written in easy-to-review code, linking commonly-shared components. TOMB is touted as one of the best file encryption software options available for Linux today.
It creates encrypted storage folders that can be opened and closed with their respective key files (which are also password-protected). A “tomb” is a locked and safely-transportable folder hidden in a filesystem. These tombs can be separated, for instance, your tomb file can be kept on your hard disk and the key files in a USB stick.
It should be noted that Tomb only works on GNU/Linux systems.
You can learn how to install Tomb on Linux systems, how to create tombs and how to hide a tomb key in an image in this helpful tutorial.
Protect Your Data Today
Data privacy has always been a concern but never more so than in today’s work-from-home environment. While Linux systems enjoy built-in security and privacy due to the system’s open-source nature, this doesn’t mean that your files are safe in the event that your system gets hacked. If you want to keep your private files private, try out one of the eight file and disk encryption tools for Linux covered in this article.
About the Author
Terry Webb is a DevOps specialist and Founder of TheOnlineWebb.com, with expertise in database management, information technology, and DevOps. His insights have been featured in some of the most popular IT blogs, and Webb is appreciated for making SQL interesting. The majority of his work involves DevOps consulting and blogging.
Edited by Brittany Day, LinuxSecurity.com Content Editor and Guardian Digital, Inc. Director of Communications.