Official website for Linux User & Developer
FOLLOW US ON:
Aug
8

The best file encryption software in open source – group test

by Gareth Halfacree

Keeping your secrets secret is an important consideration, so we have taken the four most popular encryption systems and ordered Linux User’s chief group tester, Garath Halfacree, to do what he does best. Which is the ultimate option? Read on…

eCryptfs – The Enterprise Cryptographic Filesystem
Chosen by Canonical to keep home folders secure, does eCryptfs deliver on its promise?

At first glance, eCryptfs has plenty to recommend it: it’s already been chosen as the standard encryption solution for keeping home directories private by no lesser entities than Canonical for Ubuntu and Google for Chrome OS, among others. Derived from Erez Zadok’s Cryptfs, eCryptfs is a file-system – rather than block – level encryption solution which has been part of the mainline kernel since 2.6.19.

Setup is easy enough: to manage your encrypted storage you simply install ecryptfs-utils, which provides the capabilities required to create, mount, and manage a full file-system level encryption system.

The best file encryption software in open source - group test
Installation of eCryptfs is straightforward in most instances

Setting the software up is also straightforward: create a directory which you want to be encrypted, and mount it as the type ‘ecryptfs.’ As a file-system level encryption solution, that’s all that’s required: if it’s the first time that you’ve used that directory as an encryption target, you’ll be taken to a wizard that walks you through the software’s various configuration options. While the defaults are mostly acceptable, it’s advisable to enable file name encryption to help prevent information leakage – although this does carry a small performance penalty over leaving the file names visible.

Unlike encfs, eCryptfs allows you to specify the same directory as both the mount point and the device – meaning you can have a single directory which holds the encrypted files and then provides their contents when properly mounted.

The best file encryption software in open source - group test
An encrypted directory mounts as though it were any other device

Unlike LUKS, however, there’s no support for doing so quickly and easily in a GUI – although add-on packages for Nautilus are available for automatically mounting an eCryptfs directory.

For more advanced users, there is one key point of eCryptfs that may cause issues: as a stacked file system, it adds to the existing call stack and its use with certain file systems – including XFS – this can result in a stack overflow. It’s not an issue that most users will encounter, but it’s one that may spell the difference between implementing eCryptfs and opting for an alternative.

The best file encryption software in open source - group test
A multi-choice wizard walks a user through encrypting with eCryptfs

Sadly, the user space nature of eCryptfs rears its head in another way: performance. Compared to dm-crypt via LUKS or TrueCrypt, eCryptfs results in an impressive performance penalty. Small file performance on our test system dropped to around 10MB/s from around 28MB/s, and while the performance penalty was less pronounced with a single large file it was still noticeable. Users with more impressive hardware will find the performance better, but eCryptfs is a poor choice for slower systems.

Linux User Verdict
Installation: 9/10
On most distributions, the installation of a single package is enough to start using eCryptfs.
Features: 8/10
There are plenty of options in eCryptfs for tuning performance and security, and files are transferable between hosts.
Ease of use: 8/10
Setup is easy, but the software could benefit from better integration with the GUI.
Performance: 4/10
Sadly, eCryptfs does result in a not-inconsiderable performance hit, although this will be lessened on more powerful systems.

Overall: 3/5
The ease of creating eCryptfs file systems makes it a handy package, but the performance penalty is severe.

Continue to next page – EncFS


Pages: 1 2 3 4 5
  • Tell a Friend
  • Follow our Twitter to find out about all the latest Linux news, reviews, previews, interviews, features and a whole more.
    • Joseph

      While LUKS may not have a GUI as such, that doesn’t mean that ease of use is really hampered in some distributions. For instance, when using openSUSE’s YaST configuration tool and its partitioner module, one need simply click a check box (and enter the desired password) and YaST handles formatting, setting up and encrypting the partition, and adding an FSTAB entry if needed. I just checked and it seems Ubuntu gives you an encryption option when using its partitioner but not during the install. openSUSE allows for encryption to be specified during system install as well.

      It’s also my understanding that TrueCrypt allows for full-disk encrypting a boot drive under Windows but not Linux. If that is still the case, then perhaps the recommendation would best be LUKS for setting up a system with full-disk encryption (especially if you’re installing a disto with a powerful installer like openSUSE’s) and TrueCrypt for other needs and cross-platform encrypting.

    • linux97

      The selling point for me (strange sounding since it is free) is the simple fact that Truecrypt will work cross-platform as long as it has been installed on other machines. That means that I can encrypt a thumb drive and use it on various machines; taking my encrypted files with me to work, home, wherever. I can also put a persistent linux on another thumb drive, along with truecrypt, and be assured I can use my encrypted files anywhere I am allowed to boot a computer.

    • Pingback: Links 10/8/2011: Linux/Android Tablets Multiply, OpenGL 4.2 is Coming | Techrights

    • Pingback: Open encryption software « 0ddn1x: tricks with *nix

    • JDM

      TrueCrypt also has some very ambiguous origins and development and is increasingly hard to compile from source by an end user.

    • David

      Apparently there is a tool that makes it possible to use dm-crypt under windows. It’s called FreeOTFE (http://www.freeotfe.org/) and has the benefit of not having to be installed (thus not needing administrator priviligeous). This could actually make it even more useful than truecrypt for use with portable devices. This program is windows only and I don’t think there’s a similar program for MacOSX.

    • Pingback: Truecrypt opensuse | Playstation3st

    • aprogrammer

      Cool post but I was using russian ecryption instruction http://sysadmin.te.ua/tag/luks

    • Pingback: Data encryption in Linux (and OS X, and Windows) | Bits and Pieces