Hard Disk Encryption

From InfoAnarchyJump to:navigation, search

See also: Security | Cryptography | Encrypting Your… | Cryptography/Attacks | Undelete Attack

AKA: Volume Encryption, aka OTFE

A secure container file on a disk, meant to hide information that, when opened with a password, is treated as a separate disk (for instance the H: drive). This is preferable to normal file encryption as the operations of encryption and decryption are transparent to the user.

This software is popular on laptops, which are often stolen and can carry sensitive financial information.

A comprehensive comparison of all disk encryption systems available (for multiple operating systems) can be found at On-The-Fly Encryption: A Comparison


How it works

Hard Disk Encryption programs run a memory-resident program is in the background, acting as an interpreter between the container file and the rest of the computer. Without the memory resident program and password, the file is indistiguishable from random data.

If the program is shut down, hard drive is removed suddenly, or system turned off, the volume is secure depending on the underlying filesystem. These days, filesystems support journaling and atomic writes hence this is of little concern.

Most implementations are vulnerable to dictionary attacks though. Also, if the source is not open, one is arguably more vulnerable because it is not known to the public how the program exactly works. It could be backdoored.



  • FreeOTFEFree, open-source, software encrypts partitions, devices (USB memory sticks, etc.) or creates encrypted file-hosted containers. This is the only disk encryption system which doens’t need administrator rights to use. Supports “hidden” volumes and provides plausible deniability. Supports backup of critical information needed to restore volumes. Linux compatibility (both Cryptoloop “losetup”, dm-crypt and LUKS). Works under Windows 2000/20003/XP/Vista PCs and Windows Mobile 2003/2005 PDAs
  • TrueCryptFree, open-source, software based on E4M. Provides plausible deniability (see “hidden” volumes). Encrypts partitions, devices (USB memory sticks, etc.) or creates encrypted file-hosted containers. Supports Windows XP/2000/2003 and Linux. AES-256, Twofish and Serpent, and a number of combinations of them.
  • Cyptainer LE – easy-to-use, nag-free commercial software but with a size limit of 25 megs. Negatively, runs as a system service even when not enabled. Advanced users with administrative access may wish to set to the system service to “Manual” under “Control Panel – Administrative Tools – Services”.
  • Digital Vault – Easy to use software that can encrypt, hide and password protect an unlimited number of files and folders. It also allows the ability to create multiple “vaults” with individual passwords, in addition to providing 256 bit Blowfish Encryption. Can be used on a variety of removable media types such as USB pen drives and removable hard drives. Additionally, it can be used to create “vault” backups and email encrypted files.
  • Bestcrypt – Commercial versions for Windows and Linux. Very stable. Modules for all major encryption algorithms. Finland (not USA) origins.
  • SafeGuard Easy – Commercial version for Windows. Encrypts the entire disk with pre-boot authentication
  • SafeGuard PrivateDisk – Commercial versions for Windows Personal and Enterprise Edition (with centralized management for enterprise customers)
  • PGP Disk 6.0.1 – A free but problematic program for Windows and Macintosh OS 8 and 9, taken from an old version of commercial PGP. Must install on an NTFS-only format disk or may restrict users to the FAT file system and require short file names (FAT32 will not work). If so, use ZIP files to avoid losing long file names.
  • CrossCryptFree Software, open-source implementation of AES and Twofish for Windows 2000/XP. Compatible with Linux AES/Twofish. Requires some command-line interaction or download of a GUI Front-End: CrossCryptGUI
  • E4M – Encryption for the Masses. Freeware product (no longer being developed) for Windows NT.
  • Dekart Private DiskAES encryption, flexible and easy to use – Shareware – 95/98/ME/NT/2000/XP. Allows securing hard disks and USB flash disks, runs from USB disk with no host PC installation. Provides innovative Disk Firewall mechanism – protecting access to the encrypted disk application by application. Disk firewall allows creating a white list of applications allowed to access the encrypted disk making sure that no trojans or any spyware will harm the secured data. Encrypted Disk Firewall – additional protection of confidential information
  • The Bat! Private DiskShareware, (appears to be the same or the same as Dekart Private Disk). AES on-the-fly encryption. Super fast, easy to use. Size Limit: 2GB for Windows 95/98/ME and up to 4TB for Windows NT/2000/XP. A Google search showed that this software has not been reviewed by any outside shareware service.
  • PGP Disk 8.0 – commercial version for Windows and OS X
  • Scramdisk (free for Windows 9x but not the Windows NT series (2000, XP, etc).
  • SFS – Outdated, free, secure File System for DOS/Windows. Requires some configuration. Has not been updated since September of 1996.
  • DriveCrypt – 1344 Bit Military Strength hard disk encryption for Windows
  • DriveCrypt Plus Pack – Encrypts the whole operating system
  • ShareCrypt – Protects sensitive data on shared disks or folders allowing simultaneous access to different users.
  • CryptoExpert 2004 PE – A highly-rated commercial disk encryption tool. A professional version also available.
  • SecureDriveFree, open-source, system for DOS/Windows. Has not been updated since about 1996.
  • CryptoDisk – Easy to use tool for creating and managing virtual encrypted disks. Uses AES and Blowfish.
Notes about Windows security:
  • Native Folder Encryption: Although Windows XP Professional and possibly some versions of Windows 2000 provide folder encryption with NTFS filesystems, they should be considered only a very basic solution. The Window’s native encryption is far easier to bypass than the software listed below. (See: Windows XP.)
  • Hard Disk Encryption is not the only solution to data security in Windows:
  • One of the most important parts is clearing the pagefile on shutdown to delete information you only thought was located in your encrypted volumes. Editing your registry is one option and XP-antispy is another. Doing so may slow the shutdown process but but will also improve overall system speed.
  • Software for cleaning up Windows entirely such as Window Washer or other items.


Important note for Windows Mobile 6.0 users: The encryption system included as part of WM 6.0 stores its encryption keys in the PDA’s internal flash memory. If the device is cold booted (hard reset), then your keys are lost. This means that all encrypted information stored on the card will no longer be accessible. None of the software listed below has such a limitation!

  • FreeOTFE4PDAFree, open-source, supports “hidden” volumes and provides plausible deniability. Works under Windows Mobile PDAs – a PC version also available for Windows 2000/2003/XP/Vista.
  • SecuBox for Pocket PC – AES 256-bit encryption solution for Windows CE handhelds and Windows Mobile PDAs/PDA Phones. Creates encrypted volumes that appear as storage cards in Windows Mobile File Explorer.

Mac OS

Note: OS X version 10.3+ allows for integrated encryption of one’s home directory.

For UNIX-like systems

  • TrueCrypt – Free, open-source, based on E4M. Provides plausible deniability (see “hidden” volumes). Encrypts partitions, devices (USB memory sticks, etc.) or creates encrypted file-hosted containers. Supports Windows XP/2000/2003 and Linux. AES-256, Twofish and Serpent and a number of combinations of them.
  • Crypto File System (an encrypting file system for Unix-like OSs) — The FS code dates back to 1989, and the crypto to 1992.
  • Bestcrypt – Commercial versions for Windows and Linux. Very stable. Modules for all major encryption algorithms. Finland (not USA) origins.
  • CryptoAPI The GNU/Linux Crypto API
  • StegFS – a steganographic file system for Linux. More than just encryption, also allows one to hide (parts of) data. Be aware that only using StegFS doesn’t provide a secure hiding, additional precautions should be taken; see the FAQ on the site. Currently for Linux 2.2 only.
  • TCFS – Transparent Cryptographic File System is a transparent filesystem for both transparent local and transparent network encryption. It is supported by Linux 2.0/2.2, NetBSD and OpenBSD — Has not been updated since late 2002.
  • EncFS – User-space encrypted filesystem implementation for Linux 2.4 & 2.6. It has some advantages over other implementations, namely the dynamic size. Other (dis)advantages are stated on the homepage as well as a comparison between EncFS and other encrypted filesystem implementations on site.
  • Loop-AES – Uses AES to encrypt partitions under GNU/Linux. Fairly simple and effective. Loop-AES containers can also be mounted under MS Windows using FreeOTFE. No real homepage, so try http://sourceforge.net/projects/loop-aes
  • dm-crypt / LUKS – CryptoLoop’s successor. For Linux. dm-crypt containers can also be mounted under MS Windows using FreeOTFE
  • cgd – cryptographic device driver for NetBSD. Unlike other implementations, not vulnerable to dictionary attacks. Here is a extensive PDF article concerning CGD by the authors.
  • vncrypt – FreeBSD container encryption – Uses AES-Rijndael encryption in CBC mode. Utilizes FreeBSDs vnode pseudo disk device support. Is available through the ports collection.
  • GEOM Based Disk Encryption (gbde) FreeBSD encryption – encrypts the sector payload using 128-bit AES in CBC mode. Each sector on the disk is encrypted with a different AES key. gbde transparently encrypts entire file systems. Mounts just like another drive. View the FreeBSD handbook for instructions.
  • vnconfig under OpenBSD to configure a svnd (pseudo-drive) encrypted with Blowfish.


Related Links

TakeDown.NET -> “http://takedown.net/Hard-Disk-Encryption&oldid=17406Category: