Official website for Linux User & Developer

The best file encryption software in open source – group test

by Gareth Halfacree

Keeping your secrets secret is an important consideration, so we have taken the four most popular encryption systems and ordered Linux User’s chief group tester, Garath Halfacree, to do what he does best. Which is the ultimate option? Read on…

Quick Links
LUKS – The Linux Unified Key Setup – and dm-crypt
eCryptfs – The Enterprise Cryptographic Filesystem

EncFS – A user-space encryption system
TrueCrypt – the only entry with a GUI
Final comments and winner revealed

LUKS – The Linux Unified Key Setup – and dm-crypt
With LUKS provided as standard in many distributions, it’s as good a place to start for encryption…

While LUKS isn’t just a means of encrypting a file system, that’s certainly its most common usage. Developed as a reference implementation of the TKS1 standard for secure key setup created by Clemens Fruhwirth, it’s possibly the most commonly used whole-disk encryption system around for Linux distributions.

The file system encryption portion LUKS is handled by dm-crypt, which provides an encrypted target for the device-mapper infrastructure included in kernel 2.6 and above. Unlike some other products on test, LUKS doesn’t concern itself with the creation of encrypted files and folders: instead, it aims to encrypt entire filesystems.

The best file encryption software in open source - group test
The command ‘cryptsetup’ is used to control dm-crypt via LUKS

The upshot is that LUKS can be awkward to implement. While other packages on test, such as encfs or ecryptfs, are happy working with existing file systems, LUKS is aimed at encrypting an entire device – which results in the target file system being wiped when you create the encrypted volume. There are ways of creating a file rather than a device – most revolving around the use of loopback mounts – but it’s certainly not the intended use case for the package.

The plus side to the tight integration of dm-crypt and LUKS into the Linux kernel is improved distribution support: in many distributions, a LUKS-encrypted device is automatically detected and can be mounted with a single click and the entry of the password. In other worse: the time you spent setting it up can be saved when it comes to using the encrypted file system.

The best file encryption software in open source - group test
The low-level at which dm-crypt and LUKS operate can sometimes lead to confusion

As with the other encryption technologies on test, LUKS is designed in such a way that the unencrypted data is never written to the disk: instead, it is encrypted and decrypted as it’s read and written. While this means that security is kept at a maximum, there is a performance penalty to pay. Thankfully, on a modern system that shouldn’t be too onerous: while small-file performance took a hit – a test in which we copied 500 128KB files to the target volume – the throughput in copying a large file to the encrypted volume was only slightly slower than using no encryption at all.

As with any software-based encryption system, however, there is a trade-off: as you encrypt and decrypt data, the system CPU will be loaded. If you’re running a slower system – especially one with only a single processing core – you may find general performance impacted as the system works the cryptography engine.

The best file encryption software in open source - group test
LUKS and dm-crypt integrate well with most Linux desktops

Linux User Verdict
Installation: 8/10
With the kernel support already compiled in to most distributions, LUKS is easy to install and set up for most users.
Features: 6/10
While LUKS offers plenty of scope for adjustment, many options are hidden away from the user.
Ease of use: 4/10
LUKS is the hardest software on test to set up, and usually requires the intervention of a root account.
Performance: 8/10
While there’s a definite performance hit, LUKS is still fast enough for system-wide use.

Overall: 3/5
LUKS is an impressive piece of software, but would benefit from a guided configuration mode like encfs or ecryptfs.

Continue to next page – eCryptfs – The Enterprise Cryptographic Filesystem

Pages: 1 2 3 4 5
  • Tell a Friend
  • Follow our Twitter to find out about all the latest Linux news, reviews, previews, interviews, features and a whole more.
    • Joseph

      While LUKS may not have a GUI as such, that doesn’t mean that ease of use is really hampered in some distributions. For instance, when using openSUSE’s YaST configuration tool and its partitioner module, one need simply click a check box (and enter the desired password) and YaST handles formatting, setting up and encrypting the partition, and adding an FSTAB entry if needed. I just checked and it seems Ubuntu gives you an encryption option when using its partitioner but not during the install. openSUSE allows for encryption to be specified during system install as well.

      It’s also my understanding that TrueCrypt allows for full-disk encrypting a boot drive under Windows but not Linux. If that is still the case, then perhaps the recommendation would best be LUKS for setting up a system with full-disk encryption (especially if you’re installing a disto with a powerful installer like openSUSE’s) and TrueCrypt for other needs and cross-platform encrypting.

    • linux97

      The selling point for me (strange sounding since it is free) is the simple fact that Truecrypt will work cross-platform as long as it has been installed on other machines. That means that I can encrypt a thumb drive and use it on various machines; taking my encrypted files with me to work, home, wherever. I can also put a persistent linux on another thumb drive, along with truecrypt, and be assured I can use my encrypted files anywhere I am allowed to boot a computer.

    • Pingback: Links 10/8/2011: Linux/Android Tablets Multiply, OpenGL 4.2 is Coming | Techrights()

    • Pingback: Open encryption software « 0ddn1x: tricks with *nix()

    • JDM

      TrueCrypt also has some very ambiguous origins and development and is increasingly hard to compile from source by an end user.

    • David

      Apparently there is a tool that makes it possible to use dm-crypt under windows. It’s called FreeOTFE ( and has the benefit of not having to be installed (thus not needing administrator priviligeous). This could actually make it even more useful than truecrypt for use with portable devices. This program is windows only and I don’t think there’s a similar program for MacOSX.

    • Pingback: Truecrypt opensuse | Playstation3st()

    • aprogrammer

      Cool post but I was using russian ecryption instruction

    • Pingback: Data encryption in Linux (and OS X, and Windows) | Bits and Pieces()

    • Markus

      Interesting how some articles at somehow the same time try to sell people the compromised TrueCrypt stuff to the people instead of LUKS and try to tell that the performance is way better.. ;)