Disk encryption creates encrypted partitions on hard drives, or creates virtual encrypted disks within a file. Once encrypted, the data stored on a partition requires a password to access.
Here is a list of the best disk encryption software:
- VeraCrypt is open-source and code audited, works on Mac and PC, and allows creation of encrypted containers or whole-disk encryption
- Bitlocker is built into Windows, is not open-source, only encrypts full disks, and has no plausible deniability mechanism
- DiskCryptor is an open-source alternative to Bitlocker for Windows. It encrypts disk partitions and its bootloader can be installed externally
- FileVault 2 is built into Mac OSX Lion and later, only allows full disk encryption, and is not open source
- LUKS2 is an open-source option for Linux, supports multiple algorithms, but does not offer much support for non-Linux systems
1. VeraCrypt
VeraCrypt performs all of the same functions as the-now-discontinued TrueCrypt and then some. VeraCrypt adds security to the algorithms used for system and partitions encryption. These improvements make it immune to new developments in brute-force attacks, according to developers.
VeraCrypt uses 30 times more iterations when encrypting containers and partitions than TrueCrypt. This means it takes a bit longer for the partition to start up and containers to open, but does not affect application use.
VeraCrypt is free and open source, and it always will be. The code is routinely audited by independent researchers. Because it is, at its core, very similar to TrueCrypt, audits of the original software still apply to VeraCrypt.
VeraCrypt supports two types of plausible deniability–the existence of encrypted data is deniable because an adversary cannot prove that unencrypted data even exists. Hidden volumes reside in the free space of visible container volumes–space which would otherwise be filled with random values if the hidden volume did not exist. Hidden operating systems exist alongside visible operating systems. If an adversary forces you to hand over a password, you can just give them the password for the visible OS.
2. Bitlocker
Bitlocker is popular Windows-only software that’s been around since 2007. It’s used to encrypt entire volumes using the AES encryption algorithm with a 128- or 256-bit key. Unlike VeraCrypt, Bitlocker cannot create encrypted containers. Entire partitions must be encrypted at once.
While this approach works for some people, keep in mind that if you leave your computer logged in and someone else uses it, all of your files will be visible. Windows has a separate encryption system called EFS (encrypted file system) for encrypting single files and folders, but these are also unlocked whenever the user is logged in.
Bitlocker is not open source, which means the public cannot inspect it for backdoors. Due to Microsoft’s friendly relationship with the NSA, this could be a deal-breaker for many. Concerns were also raised when Microsoft removed the Elephant Diffuser–a feature that prevents encrypted disk modification–for performance reasons.
Bitlocker does not have a plausible deniability mechanism, although you could make the argument that the contents of your hard drive were modified because of the missing Elephant Diffuser. That’s a stretch, though.
Bitlocker verifies that attackers haven’t modified the software used to boot the computer. Note that Bitlocker isn’t available on Windows 11 Home edition. You’ll need Windows 11 Pro, Enterprise, or Education editions to use it.
Related post: Best Database Encryption Tools
3. DiskCryptor
DiskCryptor is an easy-to-use open-source disk encryption tool for Windows. It’s lightweight, free, and allows users to encrypt disk partitions. The software’s development has been reinstated as of 2020.
DiskCryptor uses 256-bit AES, Twofish, Serpent or a combination of cascaded algorithms in XTS mode to carry out encryption. It’s not the fastest at encryption, though you can still use your computer while DiskCryptor is running.
Plausible deniability is possible as DiskCryptor allows users to install the bootloader on an external device — such as CDs, DVDs, or thumb drives. Without the bootloader, the encrypted contents of a computer’s hard drive look like blank space with random data. The downside to this approach is you must always use the CD or USB bootloader to start the computer and decrypt data.
4. FileVault 2
FileVault 2 is Apple’s answer to Bitlocker. First launched with OSX Lion, the Mac-only software uses an AES-XTC 128-bit algorithm for full disk encryption. The user’s login password is used as the encryption key.
Similar to Bitlocker, FileVault 2 has no option to create encrypted containers. That means once you’ve logged into your Macbook, all of the hard drive’s data is unencrypted and visible until the system is powered down.
Another shared similarity to Bitlocker: FileVault 2 is not open source. That means it cannot be audited by the public and may contain backdoors.
5. LUKS2
For Linux users, LUKS2 is based on cryptsetup and uses dm-crypt as the disk encryption backend. Short for Linux Unified Key Setup, LUKS2 specifies a platform-independent standard on-disk format for use in various tools.
LUKS2 doesn’t have all the features of VeraCrypt or other options, but it offers more flexibility when it comes to encryption algorithms. It improves on the original LUKS by using the Argon2 key derivation function by default and by featuring resilience to header corruption.
LUKS2 featuring resilience to header corruption, and using the Argon2 key derivation function by default, whereas LUKS1 uses PBKDF2
LUKS2 doesn’t travel well between operating systems and only really works well for Linux, although Windows users can access LUKS-encrypted disks using LibreCrypt.
LUKS2 does not support plausible deniability.
Is TrueCrypt secure?
TrueCrypt was a popular means of disk encryption on both Mac OSX and Windows operating systems with millions of users.
After its anonymous developers ditched TrueCrypt under somewhat mysterious circumstances, theories swirled about potential security flaws that could compromise users’ data. The most damning came from Google’s Project Zero security team, which uncovered two previously unknown vulnerabilities. One of them allows an application running with normal user privileges to escalate those privileges to an administrative level.
In 2015, the Fraunhofer Institute for Secure Information Technology conducted a formal audit of the last stable release of TrueCrypt. The 77-page report found several other bugs in TrueCrypt, but ultimately determined that the software is secure when used for its primary use case. That is, to encrypt data at rest such as on an external hard drive or USB drive. The Institute acknowledged that the bugs uncovered by Google do exist, but they can not be exploited to give attackers access to encrypted data.
While encrypting data on an external drive got the Institute’s all clear, the same task on a computer’s memory or a mounted drive did not. If a drive is mounted, the key used to encrypt data is stored in the computer’s memory. That key can be recovered and used to decrypt data at a later time.
Still, the likelihood of a hacker taking advantage of these circumstances is pretty slim. Either the encrypted container must be mounted, in which case the decrypted data is available anyway, or the computer must go into hibernation with the encrypted container mounted. If someone accesses a computer while an encrypted container is open, then that’s game over anyway. Otherwise, users must not allow computers with encrypted, mounted drives to hibernate while an encrypted container is open.
Should I use TrueCrypt?
If you have an older system with one of the original versions of TrueCrypt installed, and you’re not using it on mounted drives, you should be in the clear barring the unlikely scenarios above. TrueCrypt is slightly less secure for mounted drives for the reasons described above.
But if you don’t already have TrueCrypt, then downloading and installing it now could put you at risk. Remember that the software was officially discontinued over two years ago, and hasn’t officially been available for download since. While some websites and torrents claim to offer a genuine copy of TrueCrypt for download, there’s little means to know whether it has been tampered with, especially if you’re not a software expert.
Some users point to archived copies available on Github, where the code can be freely audited. But most of those repositories haven’t been audited by experts because doing so is a time-consuming and costly procedure. The Open Crypto Project says one Github repository, a copy of TrueCrypt 7.1, is verified.
While there’s no evidence to support such a claim, some users say the security of TrueCrypt contains backdoors for government officials.
If you’re really set on using TrueCrypt, that’s probably your best bet. But we recommend trying a newer alternative. Some of these disk encryption tools are forks of the original TrueCrypt, while others were developed separately.
A note on plausible deniability
Don’t pick your encryption software based on its plausible deniability mechanism. While it’s a nice bonus, it’s a weak defense.
In terms of disk encryption, plausible deniability means no one can prove there is encrypted data on your computer because the encrypted data looks the same as no data at all–just random noise.
The problem is that the noise can look a little too random, and a keen expert can spot other signs that a disk has been encrypted (this is called “entropy analysis”). The debate of whether plausible deniability would actually hold up either in a court of law or a torture chamber is highly debatable.
Use a VPN to encrypt data in transit
Disk encryption will protect your data while it’s at rest on your computer or external drive, but it won’t provide any protection for that data while it’s transmitted across the internet. For that, you’ll need a VPN.
Short for virtual private network, a VPN encrypts all of a device’s internet traffic and routes it through a server in a location of your choosing. The encrypted tunnel protects data in transit from your ISP and anyone else on the local network who may be snooping. After it leaves the VPN server, it’s no longer encrypted, but all the traffic comes from the server’s IP address instead of your own. The server IP is typically shared by dozens or even hundreds of users, making your activity effectively anonymous. You can see our pick of the best VPN providers here.
“Bank vaults under Hotels in Toronto, Ontario” by Jason Baker licensed under CC BY 2.0