Skip to content

Encryption Software

Encryption of data is the only way to control who can access it. If you are currently not using encryption software for your hard disk, emails, or files, you should pick an option here.

Multi-platform

The options listed here are multi-platform and great for creating encrypted backups of your data.

VeraCrypt

Recommendation

VeraCrypt logo VeraCrypt logo

VeraCrypt is a source-available freeware utility used for on-the-fly encryption. It can create a virtual encrypted disk within a file, encrypt a partition, or encrypt the entire storage device with pre-boot authentication.

Homepage

Downloads

VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.

When encrypting with VeraCrypt, you have the option to select from different hash functions. We suggest you only select SHA-512 and stick to the AES block cipher.

Truecrypt has been audited a number of times and VeraCrypt has also been audited seperately.

Cryptomator

Recommendation

Cryptomator logo

Cryptomator is an encryption solution designed for privately saving files to any cloud provider. It allows you to create vaults that are stored on a virtual drive, the contents of which are encrypted and synced with your cloud storage provider.

Homepage Privacy Policy

Downloads

Cryptomator utilizes AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt some metadata such as access, modification, and creation timestamps, nor the number and size of files and folders.

Some Cryptomator cryptographic libraries have been audited by Cure53. The scope of the audited libraries include: cryptolib, cryptofs, siv-mode and cryptomator-objc-cryptor. The audit did not extend to cryptolib-swift, which is a library used by Cryptomator for iOS.

Cryptomator's documentation details its intended security target, security architecture, and best practices for use in further detail.

Picocrypt

Recommendation

Picocrypt logo

Picocrypt is a small and simple encryption tool that provides modern encryption. Picocrypt uses the secure XChaCha20 cipher and the Argon2id key derivation function to provide a high level of security. It uses Go's standard x/crypto modules for its encryption features.

Project Info

Downloads

OS Full Disk Encryption

Modern operating systems include FDE and will utilize a secure cryptoprocessor.

BitLocker

Recommendation

BitLocker logo

BitLocker is the full volume encryption solution bundled with Microsoft Windows. The main reason we recommend it is because of its use of TPM. ElcomSoft, a forensics company, has written about it in Understanding BitLocker TPM Protection.

Overview

BitLocker is only supported on Pro, Enterprise, and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.

Enabling BitLocker on Windows Home

To enable BitLocker on "Home" editions of Windows, you must partitions formatted with formatted with a GUID Partition Table and have a dedicated TPM (v1.2, 2.0+) module.

  1. Open Windows PowerShell. Start "PowerShell"

  2. Check to see partition table format:

    powershell Get-Disk 0 | findstr GPT && echo This is a GPT system disk!
    

  3. Check TPM version. The value returned must be "3 True". The spec must be 1.2 or above.

    powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm | findstr "IsActivated IsEnabled IsOwned SpecVersion"
    

  4. Access Advanced Startup Options. You need to reboot while pressing the F8 key before Windows starts and go into the command prompt in TroubleshootAdvanced OptionsCommand Prompt.

  5. Login with your account that has admin privileges and type this to start encryption:

    manage-bde -on c: -used
    

  6. Close the command prompt, and enter into PowerShell:

    manage-bde c: -protectors -add -rp -tpm
    manage-bde -protectors -enable c:
    manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt
    

    Warning

    Backup BitLocker-Recovery-Key.txt on a separate storage device. Loss of this recovery code, may result in loss of data.

FileVault

Recommendation

FileVault logo

FileVault is the on-the-fly volume encryption solution built into macOS. FileVault is recommended because it leverages hardware security capabilities present on an Apple silicon SoC or T2 Security Chip.

Article

We recommend storing a local recovery key in a secure place as opposed to utilizing iCloud FileVault recovery. As well, FileVault should be enabled after a complete macOS installation as more pseudorandom number generator (PRNG) entropy will be available.

Linux Unified Key Setup

Recommendation

LUKS logo

LUKS is the default FDE method for Linux. It can be used to encrypt full volumes, partitions, or create encrypted containers.

Project Wiki

Creating and opening encrypted containers
dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress
sudo cryptsetup luksFormat /path-to-file

Opening encrypted containers

We recommend opening containers and volumes with udisksctl as this uses Polkit. Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like udiskie can run in the system tray and provide a helpful user interface.

udisksctl loop-setup -f /path-to-file
udisksctl unlock -b /dev/loop0

Remember to back up volume headers

We recommend you always back up your LUKS headers in case of partial drive failure. This can be done with:

cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img

Browser-based

Browser-based encryption can be useful when you need to encrypt a file but cannot install software or apps on your device.

hat.sh

Recommendation

hat.sh logo hat.sh logo

Hat.sh is a web application that provides secure client-side file encryption in your browser. It can also be self-hosted and is useful if you need to encrypt a file but cannot install any software on your device due to organizational policies.

Homepage

Downloads

Command-line

Tools with command-line interfaces are useful for intergrating shell scripts.

Kryptor

Recommendation

Kryptor logo

Kryptor is a free and open source file encryption and signing tool that makes use of modern and secure cryptographic algorithms. It aims to be a better version of age and Minisign to provide a simple, easier alternative to GPG.

Homepage Privacy Policy

Downloads

Tomb

Recommendation

Tomb logo

Tomb is an is a command-line shell wrapper for LUKS. It supports steganography via third-party tools.

Homepage

Downloads

OpenPGP

OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is complex as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.

When encrypting with PGP, you have the option to configure different options in your gpg.conf file. We recommend staying with the standard options specified in the GnuPG user FAQ.

Use future defaults when generating a key

When generating keys we suggest using the future-default command as this will instruct GnuPG use modern cryptography such as Curve25519 and Ed25519:

gpg --quick-gen-key alice@example.com future-default

GNU Privacy Guard

Recommendation

GNU Privacy Guard logo

GnuPG is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF specification of OpenPGP. The GnuPG project has been working on an updated draft in an attempt to modernize OpenPGP. GnuPG is a part of the Free Software Foundation's GNU software project and has received major funding from the German government.

Homepage Privacy Policy

Downloads

GPG4win

Recommendation

GPG4win logo

GPG4win is a package for Windows from Intevation and g10 Code. It includes various tools that can assist you in using GPG on Microsoft Windows. The project was initiated and originally funded by Germany's Federal Office for Information Security (BSI) in 2005.

Homepage Privacy Policy

Downloads

GPG Suite

Note

We suggest Canary Mail for using PGP with email on iOS devices.

Recommendation

GPG Suite logo

GPG Suite provides OpenPGP support for Apple Mail and macOS. GPG Mail costs $24€ yearly for their support plan and includes a 30-day trial. For more details see the FAQ.

We recommend taking a look at their First steps and Knowledge base for support.

Homepage Privacy Policy

Downloads

OpenKeychain

Recommendation

OpenKeychain logo

OpenKeychain is an Android implementation of GnuPG. It's commonly required by mail clients, such as K-9 Mail, and other Android apps to provide encryption support. Cure53 completed a security audit of OpenKeychain 3.6 in October 2015. Technical details about the audit and OpenKeychain's solutions can be found here.

Homepage Privacy Policy

Downloads

Last update: May 19, 2022