Best file/disk encryption methods

[Fred Barclay]

This is theoretical (at the moment ), but in your opinion, what are good encryption tools?
I've used TrueCrypt before, but it's my understanding that it is now defunct. I've also experience with LUKS, but if I'm not mistaken, only a Linux can open a LUKS file, so if I needed to use it on Windows, too bad.

What I'm looking for is impenetrability. Speed is not so much a concern; I just want something that, if I lock it, I can believe that it is locked and almost cannot be opened or retrieved without a password.

[Welly Wu]

Passwords are inherently weak because all of them can be cracked given new breakthroughs in computational processing power and the weaknesses of the people that create passwords to begin with. The encryption algorithm is the single most important aspect and the hashing method is also quite important. Once you demand that an encryption system be almost universally supported across multiple platforms, you give up some security for convenience. You didn't mention your requirements carefully enough to help us to help you make an informed decision. You're too vague. Based upon what you wrote, I'd say that you try Veracrypt. It should do, but you have to understand that you need to use Veracrypt on a Microsoft Windows desktop operating system in order to be able to create a Microsoft NTFS encrypted file system to begin with. Once you do that, you open the possibilities that Microsoft Windows, GNU/Linux, and Apple Macintosh users can read your encrypted data if they can crack your password. You'd be better off using a single desktop operating system with a single file system using a single encryption algorithm and hashing algorithm. Cascading encryption algorithms are overkill if your password is sufficiently unique, complex, strong, and easy enough for you to remember or at least store in a safe, private, and secure password management system. Therein lies your weakness. It's not Truecrypt or Veracrypt that is protecting your data per se, but it is your password management system that is protecting your data. You'd be much better off learning how to create and remember passphrases instead of passwords than relying on Truecrypt or some other encryption system. In the end, the onus is on you. Almost all encryption algorithms and hashing algorithms are based upon classical cryptography. New advancements in code breaking will lead to important breakthroughs over time. You should be more concerned with the plain text data rather than the enciphered data. There should be some information or data that should not be recorded on paper or through electronic mediums. Think harder about what you are trying to protect rather than the software used to protect it. It's that information and data that is far more important should someone else be able to read it someday in the future.

[Welly Wu]

As for myself, I have a Lenovo IdeaPad Y510P notebook PC and I run Ubuntu 14.04.2 64 bit LTS GNU/Linux as my desktop operating system. The only unique data that I created that needs to be protected are my GnuPG public and private keys and the keyring. Everything is was obtained from public sources found on the Internet. I did choose to enable full-disk encryption using dm-crypt and LUKS using the AES 256 bits XTS with SHA-1 encryption algorithm and hashing algorithm, but what really protects my other commonly found data are the other security features found within most GNU/Linux distributions. I'm talking about file permissions, Novell AppArmor, Ubuntu Uncomplicated Firewall, VPN, Bitdefender Anti-Virus (really not necessary unless I'm file sharing with Microsoft or Apple users), PAM, rkhunter, chkrootkit, tiger, john the ripper, denyhosts, fail2ban, chroot jails, etc. Most importantly, all of my sensitive data is stored on remote corporate servers like my PNC Bank monthly statements, my Capital One Platinum MasterCard monthly statements, my Amazon Store card monthly statements, my United Health Care medical records, my East Orange General Hospital medical records and bills, my primary care physician medical records, etc. I rely upon LastPass Premium and I purchased three Yubio Yubi Keys for secure two-factor authentication. If it's a super sensitive piece of information or file, then I don't store it on my PC or my external disk drives at all. I rely on the information technology staff, resources, and rules, regulations, and laws in the United States of America by leaving that stuff on their corporate servers so that I can legally access them through their websites.

Do you have a personal safe? I have a Sentry Safe. It requires a unique key and combination to unlock and open the door. Do you have a safety deposit box at your local bank branch? I do. I use these products and services to secure my important documents, jewelry, wallet, and cash. That's of far more value than some medical record or bill or monthly statement. Do you have a secure door lock at your office or home especially for the rooms that contain your PCs and data? I have a Schlage Camelot that requires both a master key and 6 digit PIN code to unlock the door and open it. Do you have security locks and desk anchors? I have both a Targus and Kensington desk anchors on my wooden desk inside my bedroom protected by my Schlage Camelot door lock and I use Kensington Micro Saver DS and Click Safe Keyed Ultra laptop locks along with a Mul-T-Lock padlock to lock down my physical assets.

Encryption is useless if an unauthorized person gets physical access to your assets at your work or home. Think about that first before you consider encryption software.

I used to work for the US National Security Agency a few years ago. So, yes, I know what I'm writing about.

[Welly Wu]

The only realistic choice that is practical is to use Veracrypt. If I were you, then I would not worry about interoperability and I would just focus on keeping your sensitive information and data safely secured on one PC or disk drive. In other words, store all of your eggs in one strong basket as possible. Once you start copying and backing up your encrypted data across different PCs, devices, and disk drives, it becomes a security liability and threat to you if someone were to get physical or remote access to one of your devices or disk drives. Again, I would not choose to store super sensitive data especially corporate or work assets at home without authorization because you clearly lack the technical skill sets, knowledge, resources, staff, and financial means to compete with the large companies that do this as their profession.

if this is not possible and you insist upon going down the road that you must travel, then use Veracrypt, but be sure to create a unique key file and save it with each encrypted file container that you create. This creates stronger two-factor authentication. You should avoid single factor password based authentication as much as possible because this greatly increases your risk factors by several large orders of magnitude. If you must store your encrypted data on a disk drive, then at least purchase and use a personal safe at your office or home. Make sure that you remember and record the PIN or combination code. Make sure you keep the backup master key safely stored somewhere outside of your office or home preferably inside a safety deposit box at your local bank branch.

Other tools include Encfs or ecryptfs. Encfs is this:

1. https://wiki.archlinux.org/index.php/EncFS

2. http://tuxtweaks.com/2013/10/encrypted- ... nux-encfs/

Ecryptfs is used to encrypt your home folder or partition. Read this:

1. http://ecryptfs.org/

2. https://www.howtoforge.com/how-to-encry ... an-squeeze

These are built-in, free, libre, open source and well scrutinized public cipher encryption systems found in most GNU/Linux distributions. They don't require that you use a third-party encryption software application with a different software licensing model like TrueCrypt or Veracrypt. They use the Microsoft Public License which can be tricky especially if some of the plain text data that you encrypt contains licenses or legal fine print that complicates things for you.

You should focus less on the encryption software and more about treating and protecting your PC containing your sensitive data like a high value target server. Once you get into the mindset of a skilled and experienced system administrator whose job is to protect the confidentiality, integrity, and availability of the data itself, then you're on the right path. What good is it to encrypt your data if your PC doesn't work or it gets damaged or stolen?

If you must rely on cloud based backup, then choose Crashplan+. They are the best and most affordably priced product and service available for GNU/Linux currently available. I use it.

The problem with encryption software and tools like the ones that I mentioned go back to my earlier posts. Once you download, copy, record, or store sensitive plain text information or data on your PCs or disk drives, then the game of protecting it becomes much more difficult for you as the owner. If this is unrealistic for you, then choose Veracrypt and follow my suggestions. Don't use Microsoft's NTFS file system. It's old, archaic, and full of bugs. It can fail you when you need it the most. It's too universal and it allows too many people to get dibs on your encrypted data once they crack your password or passphrase.

Stick with AES as much as possible. If you don't trust the US NIST and NSA, then choose Twofish or Serpent if you require maximum security, but choose one or the either and not both or all three. Choose SHA-512 as much as possible. If you don't trust it because it comes from the American government, then choose Whirlpool. Try to concentrate both plain text and enciphered text information and data to one PC and one disk drive as much as possible. Lock down your physical assets and consider your access points carefully. Try not to use 802.11 Wi-Fi as much as possible and use Gigabit Ethernet. Don't use Bluetooth at all. If you must copy and backup your encrypted data, then get a personal safe or a safety deposit box and put your external disk drive in it and lock it at all times when not in usage. If you require cloud based backup, then choose Crashplan+.

If you require more privacy than CrashPlan+, then choose Spideroak, but you'll pay more for their product and service. Spideroak is the gold standard among cloud based backup and synchronization, but it's getting more expensive. You pay for a data plan or pool of data. Two-factor authentication is currently in beta phase and it is not officially supported. CrashPlan+ allows you to create your own custom encryption key so even the company itself cannot decrypt your data at its' Crashplan Central data centers worldwide. Choose to create a custom encryption key when using a password management system and a cloud based backup system and insist upon it as a must have feature.

Physical access equals root access. Remember that. If possible, relocate your physical assets like your PCs or your disk drives to a single room with a single access point and follow my recommendations.

[Welly Wu]

There are a couple of more points that I want to share with you.

First, get a portable hard disk drive enclosure or a hard disk drive dock. Most internal disk drives use the SATA-I/II/III interface and most external desktop and laptop hard disk drives (that are the barebones ones) use it. This way, you'll have a way of taking out your internal hard disk drive and putting it inside a hard disk drive enclosure or dock to try to retrieve your personal user data in case of an emergency or disaster. I use an Orico USB 3.0 2.5" 9.5 mm hard disk drive enclosure.

Second, choose a reliable hard disk drive manufacturer like Hitachi or Western Digital. Stay away from Seagate. It matters.

Third, try not to use hard disk drives at all. Choose solid state disks for your internal disk drives inside your PCs as much as possible. They're four times faster than a hard disk drive and they are ten times more reliable and durable.

Fourth, seriously consider a cloud based backup provider. Don't choose Dropbox, Sugar Sync, Microsoft OneDrive, etc. Choose a backup system instead of a synchronization system. This is why I strongly recommend Spideroak because they do everything including backup and synchronization and file sharing securely at a higher price. It's a one stop solution.

Finally, get a VPN service provider like Private Internet Access. Not only do you get around geolocation blocking by ISPs and countries, but you get to encrypt your network traffic end to end. If you don't trust VPNs, then choose TOR and choose SelekTOR. It's free of charge for GNU/Linux users and it's much easier than trying to download, install, configure, and set up TOR and Vidalia on your GNU/Linux or Microsoft Windows PCs. SelekTOR is $12.95 USD for Microsoft Windows users.

Remember: encrypted data arouses suspicions especially by local and federal law enforcement, military, and intelligence agencies. By choosing to encrypt some or all of your personal user data, you get the spooks and g-men interested in you as a potential target.

If possible, then choose to use GnuPG when possible. You can read this to secure GnuPG configuration:

1. https://www.google.com/url?sa=t&rct=j&q ... 1466,d.eXY

2. https://sparkslinux.wordpress.com/2013/ ... iguration/

You can open a terminal and type in sudo apt-get install seahorse-nautlius if you use Ubuntu or nemo-seahorse to enable easy file encryption and decryption using Ubuntu's Nautilus or Linux Mint's Nemo file managers. Make sure to type in nautilus -q or nemo -q after installing seahorse encryption capability into your file manager.

Use GnuPG instead of Veracrypt whenever possible. Veracrypt is based upon Truecrypt which is fairly safe, but it is a little bit buggy. Veracrypt development is slow because it's a small project with limited funding and it's a third-party software application. GnuPG is built-in into most GNU/Linux distributions and you can download and install GnuPG for Microsoft Windows using GPG4WIN or Apple Macintosh OS X. GnuPG doesn't care about the specific file system that you choose to use on your disk drives. It's OS independent unlike Truecrypt or Veracrypt in the specific regard that you don't need to create an encrypted file container with a specific file system to use GnuPG whereas Truecrypt and Veracrypt do require that you choose an available file system. GnuPG is considerably more stable, reliable, and secure than TrueCrypt or Veracrypt because it's based upon asymmetrical public and private key encryption. Furthermore, recent GnuPG versions support elliptical curve cryptography which is incrementally more robust and secure against modern cryptanalysis attacks compared to the classical public ciphers found in Truecrypt or Veracrypt. ECC is better than AES, Twofish, or Serpent by being mathematically more difficult to weaken. ECC is unbroken. AES is broken. Twofish is unbroken. Serpent is definitely unbroken. Yet, ECC is the future of cryptography and it will replace all three classical public ciphers in the next few decades for the foreseeable future.

[Fred Barclay]

Thanks for the info. This must have taken a long time to put together.

I don't want to use anything other than Linux--actually, I don't really care for Linuxes that aren't Debian or Debian-based, with the exception of Arch. However, I travel a lot, and don't have a lappy, so I'm forced to use Windows at times. Even then, I usually carry a live usb with me and use it as much as possible. But sometimes the use of Windows is unavoidable. So NTFS or a similar file system is an unfortunate requirement.

...choose a reliable hard disk drive manufacturer like Hitachi or Western Digital. Stay away from Seagate. It matters.

Why?
My only machine has a Seagate 250 GB hard drive. It's so old that I'm not likely to replace the hard drive; I'd prefer to save my money for a new computer--preferably a laptop (traveling, remember).

seriously consider a cloud based backup provider.

I'm surprised at this suggestion. I've seen from your posts that security is a point you stress often, and I'd have thought that you wouldn't recommend putting my files online. I'm not too comfortable with the idea myself.


I see you mention that encrypting attracts "spooks", but I already use TOR, so I've perhaps been looked at a few times already? On the subject, I've never heard of SelekTOR; I'll have to look into it. Generally I just use the Tor Browser Bundle.

I'm looking at VeraCrypt as the lesser of the poisons, I guess.
On the good side, I don't have anything to hide. But still, that doesn't mean that I want others to be able to see what I've got. Sort of like...my home has no illegal activities taking place in it, but I still have shades on the windows and locks on the doors.

Thanks again.
Fred

[curtvaughan]

I'm a bit late on the uptake, but great thread! Lots of good info here. Thanks a lot.

[Fred Barclay]

http://forums.linuxmint.com/viewtopic.php?f=18&t=186638

This looked interesting regarding TrueCrypt.

[Ark987]

....
Encryption is useless if an unauthorized person gets physical access to your assets at your work or home. Think about that first before you consider encryption software.
....

...
Physical access equals root access. Remember that. If possible, relocate your physical assets like your PCs or your disk drives to a single room with a single access point and follow my recommendations.

Thanks man, I was always skeptical about disk encryption and was asking my self if I should start using.... now I will never considered anymore, at least not while living here in this weird country were 90% of the houses have huge crystal windows (a couch fits perfectly) with no other physical barrier.

There are 5 access point to reach my pc, the smallest access point is about 16M², it is like I'm living on the street.