News

The best file encryption software in open source – group test

Keeping your secrets secret is an important consideration, so we have taken the four most popular encryption systems and ordered Linux User's chief group tester, Garath Halfacree, to do what he does best. Which is the ultimate option? Read on…

Android_001

Quick Links
LUKS – The Linux Unified Key Setup – and dm-crypt
eCryptfs – The Enterprise Cryptographic Filesystem

EncFS – A user-space encryption system
TrueCrypt – the only entry with a GUI
Final comments and winner revealed

LUKS – The Linux Unified Key Setup – and dm-crypt
With LUKS provided as standard in many distributions, it’s as good a place to start for encryption…

While LUKS isn’t just a means of encrypting a file system, that’s certainly its most common usage. Developed as a reference implementation of the TKS1 standard for secure key setup created by Clemens Fruhwirth, it’s possibly the most commonly used whole-disk encryption system around for Linux distributions.

The file system encryption portion LUKS is handled by dm-crypt, which provides an encrypted target for the device-mapper infrastructure included in kernel 2.6 and above. Unlike some other products on test, LUKS doesn’t concern itself with the creation of encrypted files and folders: instead, it aims to encrypt entire filesystems.

The command ‘cryptsetup’ is used to control dm-crypt via LUKS

The upshot is that LUKS can be awkward to implement. While other packages on test, such as encfs or ecryptfs, are happy working with existing file systems, LUKS is aimed at encrypting an entire device – which results in the target file system being wiped when you create the encrypted volume. There are ways of creating a file rather than a device – most revolving around the use of loopback mounts – but it’s certainly not the intended use case for the package.

The plus side to the tight integration of dm-crypt and LUKS into the Linux kernel is improved distribution support: in many distributions, a LUKS-encrypted device is automatically detected and can be mounted with a single click and the entry of the password. In other worse: the time you spent setting it up can be saved when it comes to using the encrypted file system.

The low-level at which dm-crypt and LUKS operate can sometimes lead to confusion

As with the other encryption technologies on test, LUKS is designed in such a way that the unencrypted data is never written to the disk: instead, it is encrypted and decrypted as it’s read and written. While this means that security is kept at a maximum, there is a performance penalty to pay. Thankfully, on a modern system that shouldn’t be too onerous: while small-file performance took a hit – a test in which we copied 500 128KB files to the target volume – the throughput in copying a large file to the encrypted volume was only slightly slower than using no encryption at all.

As with any software-based encryption system, however, there is a trade-off: as you encrypt and decrypt data, the system CPU will be loaded. If you’re running a slower system – especially one with only a single processing core – you may find general performance impacted as the system works the cryptography engine.

LUKS and dm-crypt integrate well with most Linux desktops

Linux User Verdict
Installation: 8/10
With the kernel support already compiled in to most distributions, LUKS is easy to install and set up for most users.
Features: 6/10
While LUKS offers plenty of scope for adjustment, many options are hidden away from the user.
Ease of use: 4/10
LUKS is the hardest software on test to set up, and usually requires the intervention of a root account.
Performance: 8/10
While there’s a definite performance hit, LUKS is still fast enough for system-wide use.

Overall: 3/5
LUKS is an impressive piece of software, but would benefit from a guided configuration mode like encfs or ecryptfs.

Continue to next page – eCryptfs – The Enterprise Cryptographic Filesystem


×