7 best Linux apps for disk encryption

Last Updated on May 24, 2024 by Jhonni Jets

Disk encryption is an essential security measure for keeping sensitive data private and safe. With Linux offering a wide variety of encryption options, choosing the right tool can seem overwhelming. This guide covers the 7 best Linux apps for encrypting your system disks and removable media. We’ll look at features, use cases, and setup requirements to help you select the solution that best fits your needs.

Encrypting disks protects data even if storage devices are lost or stolen. Whole disk encryption locks down every file on boot volumes and external drives. This prevents unauthorized access if devices fall into the wrong hands. Removable media encryption secures portable drives and removable disks like USB keys and SD cards.

For desktop users, disk encryption adds an important layer of protection with little performance impact on modern hardware. Servers, laptops, and workstations holding sensitive client data especially benefit from requiring a passphrase to access files. Encryption also satisfies compliance and privacy regulations in industries like healthcare and finance.

Linux offers disk encryption options configured during installation or added afterward. Free software solutions are fully open source while certain desktop environments include easy setup wizards. Command line tools provide flexibility while graphical utilities simplify the process. This guide highlights the top encryption apps across different use cases to help you choose one that fits your setup.

LUKS (Linux Unified Key Setup)

How LUKS works with Full Disk Encryption in Linux | by Mattia Zignale |  InfoSec Write-ups

The grandaddy of Linux disk encryption is LUKS (Linux Unified Key Setup). First developed in 2004, LUKS has become the de facto standard for whole disk and partition encryption on Linux systems. It works at the block device level below the filesystem to transparently encrypt entire drives or partitions.

Setting up LUKS requires use of the command line cryptsetup utility during installation or afterward. Devices like hard disks or flash drives are first initialized with cryptsetup luksFormat, then unlocked with cryptsetup luksOpen to access the underlying block device. Data can then be written and read while the system is running.

The key advantage of LUKS is compatibility – it works across desktop and server distributions, with any filesystem, and on BIOS or UEFI systems alike. Everything from single block devices to RAID and LVM volumes can use LUKS encryption. Passphrases are stored securely within the LUKS header and can include additional measures like keyfiles for tougher security.

Drawbacks are purely usability centered – setup requires knowing basic Linux and cryptsetup commands. No graphical tools are included for initialization or unlocking disks. But for powerful whole disk encryption with wide compatibility, LUKS remains the go-to standard choice after over 15 years of improvements.

Encryption Tools

The Best Encryption Software for 2024 | PCMag

For desktop users seeking an easier way to encrypt disks, Encryption Tools provides a full-featured yet simple graphical option. Included in major distributions like Ubuntu, Linux Mint, Elementary OS and more, Encryption Tools handles LUKS initialization and unlocking via an intuitive GUI.

The main Encryption Tools window lists any encrypted volumes as well as available disks and partitions. Clicking “Encrypt Device” walks through formatting with LUKS, setting a passphrase, enabling on boot, and applying desired mount options. Unlocking disks for use is equally simple via the main window.

Beyond LUKS disks, Encryption Tools also encrypts removable media like USB drives. Insert a flash drive and it prompts to encrypt contents with a passphrase. All encrypted devices seamlessly mount on login with transparency to the user. Detailed instructions for manual setup are also provided within the app.

For home and small office users daunted by the command line, Encryption Tools provides an easy way to implement full disk encryption without deep Linux knowledge. Its inclusion on popular distros makes encrypted systems quick to configure for improved security with negligible learning curve.

EncFS

EncFSMP documentation

While LUKS and Encryption Tools handle entire block devices, sometimes you only want to encrypt certain directories or partitions rather than an entire disk. EncFS offers an easy way to selectively encrypt filesystem folders with a fused virtual filesystem.

To use EncFS, create a normal directory as the “encrypted” version. Then mount it with encfs specifying the “plaintext” version which will contain only encrypted contents. Files copied to the mounted folder are encrypted in place and invisible in the plaintext dir until the virtual filesystem is unlocked.

This allows granular encryption of e.g. a Documents folder without affecting the whole /home partition. It works across reboots by storing the encrypted contents as normal files rather than LUKS block devices. No special permissions or setup is required beyond installing the encfs package.

EncFS functionality can be integrated into a GUI like GNOME via the GNUstep Enigmail utility. But the real power lies in its flexibility for command line use via FUSE mounting. System administrators can automated EncFS folder encryption across user accounts without a full disk solution.

GNOME Disks

Disks – Apps for GNOME

Graphical frontends make encryption easier for casual users, but sometimes you need encryption baked directly into a desktop environment itself. GNOME Disks provides native whole disk and removable media encryption capabilities within the default tool fordisk management in the GNOME desktop.

On startup, GNOME Disks detects unencrypted block devices and offers easy encryption via LUKS. Simply choose a disk, select “Encrypt Volume” and provide a passphrase. Options include whether to auto-mount on login and enable file system level encryption as well for double security.

Any LUKS volumes are automatically mounted on boot and handled seamlessly in the file manager. Unlocking or changing the passphrase is equally simple through the Disks utility. It also verifies disk integrity on boot to ensure nothing was altered while encrypted.

For GNOME users, Disks eliminates digging through manual CLI commands or extra encryption apps. Whole disk setup is as intuitive as partitioning or formatting in other mainstream operating systems. The integrated approach lowers barriers to adopting encryption on personal computers.

Cryptsetup

dm-crypt with LUKS encryption overview

When managing servers rather than personal systems,automated command line utilities offer more control than GUI tools. Cryptsetup forms the core of most Linux disk encryption as the CLI companion to setup and use LUKS volumes. But for batch operations, Disk Encryption for Linux (DEL) provides helpful built-in features.

DEL acts as a wrapper and frontend around cryptsetup, with subcommands like del-encrypt, del-decrypt, del-key, and del-status to operate on LUKS disks. It initializes encryptions in the background using a simple YAML file for settings like keyfiles and mount points.

This makes DEL perfect for deploying consistent encryption across countless identical servers. The YAML configuration ensures all systems encrypt disks the same automated way. It also simplifies key management via key rotation subcommands without requiring manual cryptsetup CLI skills.

For Linux administrators, DEL streamlines common cryptsetup tasks and lowers the knowledge barrier around mastering its nuanced options. Reliable bulk encryption deployment and maintenance becomes a snap with this versatile plaintext-driven alternative.

Gnome Keysign

Install Keysign on Linux | Flathub

While block device encryption secures entire disks or logical volumes, sometimes you need encryption of individual application files instead. Gnome Keysign provides an easy way to selectively sign and encrypt individual files within Linux.

The GUI utility generates and stores OpenPGP keypairs to encrypt files symmetrically or use public key cryptography. Simply select files to encrypt, choose a passphrase or key, and it handles all cryptographic operations in the background. Files are encrypted in place and appear normal but can only be decrypted by the designated recipient(s).

Intuitive key management integrates with the GNOME online accounts system for syncing keys across devices. Document sharing allows others to securely receive encrypted files along with any public keys necessary for decryption. And file verification ensures integrity and authenticity during transmission.

For Linux users needing ad hoc file encryption on personal documents rather than whole storage volumes, Gnome Keysign offers an elegant and integrated solution. Its focus on usability makes encrypting individual files almost as simple as archiving or compressing.

CLEVIS

Chapter 11. Configuring automated unlocking of encrypted volumes by using  policy-based decryption Red Hat Enterprise Linux 8 | Red Hat Customer Portal

Some environments require FIPS 140-2 validated cryptography for HIPAA, PCI or other compliance. The CLEVIS project aims to satisfy these needs by integrating FIPS modules into the Linux kernel key management API.

CLEVIS acts as a broker between userspace encryption applications like cryptsetup and the kernel keyring. It supports “plugs” to interface different key management backends like OpenSSL, the Linux keyutils daemon, or validation-enabled cryptographic modules.

Setting up CLEVIS involves installing cryptsetup compiled against a kernel with the key management API and FIPS modules enabled. Configuring cryptsetup to use CLEVIS plugs for key handling lets it take advantage of validation. No other changes are needed to applications themselves.

For environments where validated encryption is mandated, CLEVIS removes barriers to full disk encryption on Linux servers. It extends standard utilities with a certified cryptographic backend seamlessly via the kernel API.

Conclusion

With Linux offering powerful encryption options across full disk, individual files and portable storage, selecting the right solution depends on your unique security needs. Whole disk tools like LUKS with Cryptsetup or GUI frontends provide robust protection out of the box. But sometimes selective or application-level secrecy fits better.

This guide covered the top free and open source projects addressing diverse encryption use cases from Disks on GNOME to FIPS validated modules. Each excels in its focused area from desktop-friendly GUIs to automated server management and validated cryptography. Selecting the tool matching your environment and data requirements ensures effective protection without introducing unnecessary complexity.

Ultimately, the ability to transparently safeguard sensitive data through full disk, selective folder or individual file encryption distinguishes Linux as a highly secure platform. Whichever method best matches how you work, the limitless options make total privacy and compliance easier than ever before on both desktop and server.

See also  8 best Android apps for app development