Best File & Disk Encryption Tools for Linux

As we rapidly transition to an increasingly digital society, data protection is a greater concern than ever before. Encryption is one of the most effective and widely used methods of securing sensitive information from unauthorized parties. In this article, we'll introduce you to some Linux file and disk encryption tools we love to help you safeguard critical data and protect your privacy online. 

Linux File Encryption: A Foundation of Modern Data Security

Attackers are becoming increasingly creative in the methods they are employing to gain access to sensitive information that can be monetized for personal gain. While almost 85% of malware attacks target Windows systems and Linux offers inherent security advantages over Windows or MacOS due to its transparent open-source code, strict user privelege model and architectural diversity, Linux is becoming an increasingly popular attack target due to its growing popularity and the high-value devices it powers worldwide.

Our Favorite File & Disk Encryption Software for Linux

WinMagic SecureDoc for Linux

SecureDoc for Linux is a Linux endpoint security solution that provides enterprise-class full drive encryption for Linux endpoints by separating encryption into two components - encryption and key management. The defense-in-depth solution works seamlessly with Linux native encryption, building on the capabilities available in Linux (such as dm-crypt) to provide an overarching layer of manageability, visibility, and automation that scales at an enterprise level and facilitates compliance.

SecureDoc for Linux supports a Zero Trust strategy, tackling the challenges associated with implementing Zero Trust recommendations by allowing initial live conversion of disk permitting admins and users to log in and work on the machine while encryption occurs. SecureDoc also reduces IT management costs by enabling a pre-boot network-based authentication as an additional security measure to ensure data on drives is never left unprotected during boot-up. In addition, SecureDoc provides damage control for lost or stolen devices by removing keys to ensure data cannot be accessed even with the right credentials.

Some of the core features of SecureDoc for Linux include:

• Live disk conversion allows admins and users to log in and work on the machine while encryption occurs.
• Removes the need to clear the disk and reinstall the operating system before commencing encryption
• Encryption statuses are monitored and available centrally in a single pane of glass admin portal.
• SecureDoc enables pre-boot network-based authentication as an additional security measure to ensure data on drives is never left unprotected during boot-up.
• Supports Smart Card based MFA at pre-boot (e.g., PIV cards)
• SD Linux makes it easy for AD and Azure AD users to log into encrypted devices.
• Login to encrypted devices without having to be pre-provisioned for access on the device.
• SecureDoc Enterprise Server provides a simple central management for all OS endpoints, including Linux, Windows, and Mac.

CryFS

CryFS is a free and open-source cloud-based tool that lets you encrypt your files and store them anywhere. Setting it up is a breeze and it is compatible with popular cloud services like Dropbox, iCloud, OneDrive, among many others. CryFS works in the background - so you won’t notice it when accessing your files.  

This tool doesn’t just encrypt your files- it also encrypts your file sizes, metadata, and directory structure.

The base directory contains a configuration file with the information CryFS requires to decrypt it. This configuration file is encrypted twice: once with aes-256-gcm and once with your chosen password. This same password will also be used for integrity checks. 

Cryptmount

Cryptmount is a user-friendly open-source disk encryption tool that lets beginners encrypt a specific filesystem without requiring superuser privileges. It uses the dev mapper mechanism, which offers several advantages such as improved functionality in the kernel, transparent support for filesystems stored on either raw disk partitions or loopback files, separate encryption of filesystem access keys which allows access passwords to be changed without re-encrypting the entire filesystem, as well as the ability to store multiple encrypted filesystems within a single disk partition using a designated subset of blocks for each. 

Cryptmount not only allows users to protect important filesystems, but also makes it possible to swap system space. Multiple encrypted filesystems can be “mounted”, or made active, or “unmounted”, or deactivated, depending on the users’ immediate needs. This is particularly useful when working in an encrypted environment, but not wanting to mess around with your system’s inbuilt partitions.

You can learn how to install and configure Cryptmount on your Linux system in this Tecmint tutorial.

Cryptsetup

Cryptsetup is an open-source utility made to easily allow users to set up disk encryption basedon the DMCrypt kernel module. This module includes plain dm-crypt volumes, LUKS volumes, loop-AES, TrueCrypt (including VeraCrypt extension), and BitLocker formats.

It uses the standard LUKS (Linux Unified Key Setup) design to protect against low entropy attacks and provide multiple keys support and effective passphrase revocation. The use of LUKS also allows compatibility among distributions as well as multiple password security. LUKS stores all necessary setup information in the partition header, allowing users to easily transport or migrate data.

Dm-crypt

Dm-crypt, which operates under the GNU General Public License (GPL), is great for encrypting entire disks of information, including removable media such as USB sticks, internal OS partitions and individual files. Some Linux distributions even allow Dm-crypt to encrypt and secure root system files. Because Dm-crypt only deals with transparent encryption of block devices, it is much more flexible than other encryption tools.

One particularly great feature of the dm-crypt system is that it doesn’t have to work directly with a disk driver. Instead, it can save all data to a single file as opposed to using LUKS and a whole disk partition. Thus, you can have dm-crypt create a single file within which you could create an entire filesystem. Then you can mount that single file as a separate drive, and then access it from any piece of software - just like you would any other drive.

eCryptfs

eCryptfs is a free, open-source, cryptographic filesystem for Linux. You can think of it as “GnuPG (introduced below) as a filesystem”. 

The filesystem stores cryptographic metadata in each file’s header, which allows for the copying of encrypted files between hosts. These encrypted files can then be decrypted with the corresponding key in the Linux kernel keyring. 

This tool has been part of the Linux kernel since version 2.6.19 and is used in Google Chrome, as the basis for Ubuntu's Encrypted Home Directory and in several network-attached storage (NAS) devices.

GnuPG

GnuPG (aka GPG or Gnu Privacy Guard) is a free and open-source implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). It was engineered to replace Symantec’s PGP cryptographic software suite.

This tool supports several types of encryption algorithms including public-key cryptography (RSA EIGamal, DSA), symmetrical key algorithms (Blowfish, AES, IDEA, etc), cryptographic hash functions (RIPEMD, SHA) and compression (ZIP, ZLIB, BZIP2).

GnuPG also lets you encrypt and decrypt files from the command line and comes with a collection of frontend applications and libraries. Additionally, it features a versatile key management system along with access modules for a wide range of public key directories.  

Gostcrypt

Gostcrypt, a fork of the now discontinued Truecrypt project, is a free and open-source cryptographic tool for Linux, Windows and MacOS. It currently uses the GOST 28147-89 algorithm, but is planning to move to GOST Grasshopper since the release of version 1.3.1.

The Grasshopper algorithm aims to supersede the current GOST 28147-89 algorithm (64-bit block and 256-bit key, Feistel structure). Unlike the GOST 28147-89 algorithm, GOST Grasshopper belongs to the SPN (Substitution Permutation Network) family. This features 128-bit blocks (plaintext, ciphertext) and a 256-bit master key from which 10 128-bit subkeys can be derived. 

TOMB

TOMB is a free and open-source encryption and backup tool for GNU/Linux systems. It’s written in easy-to-review code, linking commonly-shared components, and is popular among Linux user-developers for this reason. TOMB is touted as one of the best file encryption software options available for Linux today. 

It creates encrypted storage folders that can be opened and closed with their respective key files (which are also password-protected). A “tomb” is a locked and safely-transportable folder hidden in a filesystem. These tombs can be separated, for instance, your tomb file can be kept on your hard disk and the key files in a USB stick. 

Unfortunately, Tomb does not have a graphical user interface (GUI), and relies on Command Line input in order to function.

Protect Your Data Today

Data privacy has always been a pressing concern, but never been more critical than in today’s work-from-home environment. While Linux systems enjoy built-in security and privacy due to the system’s open-source nature, architectural diversity and strict user privilege model, this doesn’t mean that your files are safe in the event that your system gets hacked. If you want to keep your private files private, try out one of the eight excellent file and disk encryption tools for Linux covered in this article.  

Edited by Brittany Day, LinuxSecurity.com Content Editor and Guardian Digital, Inc. Director of Communications.