Five of the Best Free Linux Disk Encryption Tools

An anonymous reader writes "Disk encryption uses software to encrypt the entire hard disk. The onus is therefore not on the user to determine what data should be encrypted, or to remember to manually encrypt files. By encrypting the entire disk, temporary files, which may reveal important confidential data, are also protected. Security is enhanced further when disk encryption is combined with filesystem-level encryption. To provide an insight into the open source software that is available, we have compiled a list of five notable disk encryption tools. Hopefully, there will be something of interest here for anyone who wants easy-to-use data encryption and security."

Link? List?

[Goose+In+Orbit]

Or a linked list even?

Re:Link? List?

[blacktulip]

They encrypted themselves so you can not see them.

Re:Link? List?

[ColdWetDog]

Here. Not so hard, but bog - can't the submitter figure that out? Slow down, guys, nobody is gonna scoop you on this stuff.

Re:Link? List?

Can't the editor, "Roblimo," proofread the submission? Isn't that practically their entire function?

Re:Link? List?

[CyberK]

The submitter had the link (check Firehose), but it seems that the edititors deemd the submission to be too long and chopped it off. After all, this is Slashdot and nobody RTFAs anyway.

Re:Link? List?

[houstonbofh]

Do I mod this funny, insightful, informative, or flamebate? Tough call...

Re:Link? List?

[ColdWetDog]

Yes.

Re:Link? List?

[causality]

Can't the editor, "Roblimo," proofread the submission? Isn't that practically their entire function?

Can they? Yes. Do they? No. They don't even run basic spell-checkers as evidenced by multiple finalized submissions. I'd personally be ashamed to put my name to much of the work they produce. If they worked in the other 99.99999% of job positions bearing the title "editor" they would be fired due to poor job performance. In this shitty job market I imagine there are many thousands of people who would be happy to do better.

I don't get to slack like that in my job. If the "editors" here started acting like they were semi-worthy of the title I would seriously consider a paid subscription. Note, I don't expect perfection or anything like that. I just want them to at least try.

They should stop calling themselves "editors". Another title like perhaps "reposters" would be more appropriate and would remove the expectation that they act like, well, editors.

I notice that any post pointing out that the ad-laden blog they chose to link in the summary is one of the worst and least-direct (second-hand or third-hand) sources available for the story, or pointing out that (particularly for book reviews) the story itself is likely a Slashvertisement, well those get very quickly modded to oblivion. And I do mean *quickly*. I wouldn't notice most of them at all except that I browse at -1.

While I cannot prove that it's solely the editors doing that, it is known that editors have infinite modpoints. So I consider it quite plausible, especially considering that I can't be the only user who considers it useful information when someone points out what may be an undisclosed marketing motive. I tend to mod those "Informative" myself so long as they are thoughtful and can back up what they say. I have seen more unlikely things happen, I admit, but I have a hard time imagining that the majority of moderators find such information so objectionable.

Re:Link? List?

[Roblimo]

The link works for me in both Chrome and Firefox. I don't have Explorer handy, so I can't test it with that browser.

  I'm sorry you're having problems, but I don't see anything wrong.

And yes, I proofread everything and check all links.

Re:Link? List?

[countertrolling]

The 'submitter' has been updated to reduce the chances of a reoccurrence, though it still might happen.

Re:Link? List?

[Fwipp]

You must have fixed it, because when it first went up there was no link.

Re:Link? List?

[Roblimo]

Nope. Didn't touch a thing. But there's no point in arguing. The backend was doing some strange things earlier, but not *that* strange. Another mystery of the Internet.

Re:Link? List?

[A+nonymous+Coward]

He said "reposters", not "reporters". You are as bad at reading as they are.

Re:Link? List?

[c6gunner]

You start paying me to comment, I can guarantee a massive improvement.

Re:Link? List?

[MoeDumb]

First you show improvement, then we pay you.

Re:Link? List?

[MoeDumb]

flamebate: to flame oneself until burnout is achieved.

Re:Link? List?

[Thing+1]

The reality is that controversy sells ad impressions.

Best of slashdot editing!

Today we bring you the best of slashdot editing. We cut out all the hard parts for you, like links, and real information.

FYI: http://www.linuxlinks.com/article/2011040308270275/DiskEncryption.html

XKCD

http://xkcd.com/538/

Re:XKCD

[waveclaw]

That xkcd always amused me.

The only way to really delete something is to encrypt it. Then forget the key.

Going to burn through a few wrenches before you find that out. Too bad most people only have two knees.

Relevant to the topic? I have about a dozen CDs of 'encrypted' Linux files that can no longer be opened. Apparently the old cryptoloop encryption implementation on my particular distro was somewhat buggy. The encrypted file system that was contained in those files could only be opened on the original PC. Which promptly died. (Thank you Murphy.)

Fortunately things like luks + cryptsetup made that specific cryptodisk implementation obsolete.

Re:XKCD

Sure that is funny, but that comic isn't as true as you think. The only people who will beat you until you give up the key are those that a) can get away with it, b) know that you have what they want. Criminals who steal hard drives, etc. aren't going to go breaking legs for the encryption keys because they don't know whats on the disk and would likely goto jail for it. Even government agents would have to know that you have what they're looking for, and in the US they aren't likely to be torturing you unless you're actually important. They might put you in jail however.

Re:XKCD

Yes, but no. The US 9th Circuit recently affirmed that the government has the right to seize and search, without a warrant, any laptop entering the US. For activists who travel, this is a big deal. Will Yemeni security beat you with a wrench? Yes. Will the US? Not in a US airport. The assumption used to be that the US also wouldn't make copies of your data for offsite inspection just for the hell of it, but they are, some 5000 times in the last five years.

Re:XKCD

[1s44c]

Sure that is funny, but that comic isn't as true as you think. The only people who will beat you until you give up the key are those that a) can get away with it, b) know that you have what they want. Criminals who steal hard drives, etc. aren't going to go breaking legs for the encryption keys because they don't know whats on the disk and would likely goto jail for it. Even government agents would have to know that you have what they're looking for, and in the US they aren't likely to be torturing you unless you're actually important. They might put you in jail however.

Government agents won't torture you themselves, they will convict you for obstructing their investigation and lock you up for many years with a bunch of violent people. This applies to anyone who doesn't willingly hand over their encryption keys. Most likely it also applies to people who really have forgotten or lost their encryption keys.

Encryption is only protection from unskilled thieves, and agencies who don't want you to know they are watching.

Re:XKCD

[tqk]

... and in the US they aren't likely to be torturing you unless you're actually important.

So, I guess you've not heard about all the FAIL that the US gov't bought itself by waterboarding prisoners? Evidence obtained illegally is inadmissable (in theory).

Re:XKCD

[bingoUV]

Hey, it used to be $1 wrench in this comic. Inflation finally getting to XKCD?

loopback-AES changed recently?

I've had some loopback containers using AES-256 since years and years. Recently after upgrading to Ubuntu 11.04, the same containers no longer will mount, yet I can create brand new ones which work fine. It seems that the old ones are not forward compatible.

Has anyone else noticed this, and if so, what can be done about it? It's really kind of annoying to have to install a whole VM of an older OS just to access my old loopback container files!

Re:loopback-AES changed recently?

[St.Creed]

It's open source. You can write your own code to solve it :)

Re:loopback-AES changed recently?

The default cipher and flags changed, be sure to find out what they used to be.

I had this problem too and by setting explicit opt got it working

Re:loopback-AES changed recently?

[gorilla_au]

Warning: Link in the post above is NSFW!

encfs?

Really, no encfs? Used it for years -- works great, never had any hiccups with it.

Re:encfs?

[Nerdfest]

It works really well in conjunction with DropBox or other cloud data services as well.

There can be only one

[RenHoek]

http://www.truecrypt.org/

There we go.. I don't understand this is still a question.

Re:There can be only one

Everyone using Truecrypt would be as bad as everyone using Internet Explorer was. Monocultures are foolish, period. The more targets there are for adversaries to attack, the less likely it is that any of them will be breached.

Re:There can be only one

Because of these reasons:

http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/

Don't misunderstand me, I like Truecrypt. But security must also involve trust, and, to date, there is no total transparency about Truecrypt's developers.

Re:There can be only one

[Anrego]

dmcrypt for me!

But yeah, truecrypt and dmcrypt are all people really need to know about. They both do mostly the same thing with slight variation, which people choose is down to preference.

LoopAES is outdated, cryptsetup is a userspace tool linked to dm-crypt, and the other is specialized.

Pretty lame article.

Re:There can be only one

[westyvw]

I used to set up encryption using fuse and encfs. That worked well enough for me. The problem I have with Truecrypt is that I have to define a file size before hand. Is there a function for Truecrypt to use cowfs or auto resizing files?

Re:There can be only one

[knifeyspooney]

You can't encrypt the Linux root filesystem with TrueCrypt. That's where the other tools come in.

Re:There can be only one

[asnelt]

The problem is that TrueCrypt is not free software. It is open source but you don't have the freedom to distribute your own modified version. Therefore, there cannot be any community-driven development of TrueCrypt and - unless you can fix things that you don't like yourself - you are subject to the whim of the original developers of TrueCrypt.

Re:There can be only one

[TangoMargarine]

Is there a function for Truecrypt to use cowfs or auto resizing files?

Yes. I thought "dynamically expanding file" was the default during volume creation?

Re:There can be only one

[asnelt]

Sorry, I just noticed that you can now distribute modified versions of TrueCrypt. They must have changed the license.

Re:There can be only one

[metrometro]

> But security must also involve trust, and, to date, there is no total transparency about Truecrypt's developers.

Wow, the developers who created regime-threatening encryption software registered their domain at a fake address. The makers of a powerful privacy tool seem to like privacy? Scandal!

Code review or STFU. I don't see what else could matter than what's in the source.

Re:There can be only one

[DiSKiLLeR]

Regarding TrueCrypt, some of the stuff is simple enough. Encrypted filesystem inside a file, or encrypted partition. Okay. I've done enough under linux with mounting filesystems within files and other stuff to understand how that works very easily.

But then... what boggles my mind, is, how do some of the features of full disk encryption even work?

What performs the decryption while the operating system (whether it be windows or whatever) loads?

And how can your system disk be in a half encrypted half not state and still WORK?

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.

There's some technical details on their site, but nothing that explains how that stuff works in particular.

Re:There can be only one

[knifeyspooney]

For whole disk encryption, TrueCrypt installs a driver between Windows and BIOS that provides transparent crypto service to Windows. And it's only for Windows. For Linux whole disk encryption, something like LUKS is needed.

Re:There can be only one

[MikeBabcock]

I've never understood using truecrypt when you can just use the built-in LUKS feature set.

Re:There can be only one

[knifeyspooney]

If that volume contains the root filesystem, then you won't be able to boot.

Re:There can be only one

[sauge]

Cross operating system compatibility. I can put something (like my tax info) on a true crypt disk on my Mac, and then email it to my mom (an accountant) who can open it on her windows PC.

Which leads to another benefit, my mom is no system administrator, but she can open a file, enter a password, and double click the file within.

Further more, if I want to deal with it - I can put it on my Linux machines.

Finally, if a technician needs to fiddle with the system, I can unmount the drives and let them in with (less) worry about what they may find. (Tend to deal with health care information.) In other words, I can compartmentalize who can see what.

Re:There can be only one

[gust5av]

Check this out:

http://sourceforge.net/projects/stlth/

It's like Truecrypt but based on dm-crypt, GPL and supports unlimited numbers of hidden volumes.
That's real plausable deniability, unlike Truecrypt.

Re:There can be only one

[npsimons]

http://www.truecrypt.org/

There we go.. I don't understand this is still a question.

This is why. Also, dm-crypt/luks is included with Linux by default and Debian makes it dead simple to setup whole disk encryption on a fresh install; I believe that truecrypt won't work for whole disk encryption for Linux.

All due respect to the truecrypt guys and their work (cross-platform encrypted images are awesome), but the only reason Windows and OSX need truecrypt is because they don't have something like Linux's dm-crypt. Truecrypt really isn't necessary for Linux, unless you have to share encrypted images with other OSes, and you could also do that with GNUPG.

Re:There can be only one

[gozar]

All due respect to the truecrypt guys and their work (cross-platform encrypted images are awesome), but the only reason Windows and OSX need truecrypt is because they don't have something like Linux's dm-crypt.

With OS X you can use Disk Utility to create encrypted sparse images, which are nicer than Truecrypt volumes for some things. Especially since sparse disk images only take up as much space as what is stored on them. Not cross platform though. :-(

Re:There can be only one

[Fnord666]

I can put something (like my tax info) on a true crypt disk on my Mac, and then email it to my mom (an accountant) who can open it on her windows PC.

You really don't have to go to the extreme of mailing your Mac. Just have her use logmein for instance.

Re:There can be only one

[tqk]

This.

WTF did you bother to post that?!? Do you seriously believe that adds anything to the discussion, any discussion? Are we voting on an optimum solution? Then yours will be attributed "hearsay from AC", and so won't count.

FFS, do better!

Here is the link from the submission

[Meshach]

http://www.linuxlinks.com/article/2011040308270275/DiskEncryption.html

Re:Here is the link from the submission

[etymxris]

Well do you trust proprietary encryption implementations? I don't.

http://www.rohos.com/2010/02/hardware-encryption-vulnerability-of-kingston-and-sandisk-usb-flash-drives/

Where's eCryptfs?

eCryptfs is the default disk encryption technology shipping in Ubuntu. You can turn it on from the installer. How does that not make the list? I've never even heard of SD4L.

Re:Where's eCryptfs?

[Anrego]

Possibly because it's a file system level encryption tool vice a full disk encryption tool. Then again, they included cryptsetup which is just a userspace utility for dm-crypt, so I'd chalk this up to just being a lame article!

Hardware encryption?

[sunderland56]

Isn't everyone concerned about security already using hardware encryption - which is higher performance, and built in to almost every hard drive?

https://secure.wikimedia.org/wikipedia/en/wiki/Hardware-based_full_disk_encryption

Re:Hardware encryption?

You'd have to trust Seagate, Maxtor, Hitachi & co. to not do something idiotic, such as storing the keys on-disk and NOT sealed to a TPM or somesuch (which they used to do with the ATA security features, and you can get any disk unlocked for a few $$).

And you'd also have to trust them not to have been co-opted by a state government.

I.e, you have to be a dumbass to trust hardware security.

Re:Hardware encryption?

[etymxris]

Well do you trust proprietary encryption implementations? I don't.

http://www.rohos.com/2010/02/hardware-encryption-vulnerability-of-kingston-and-sandisk-usb-flash-drives/

Goatse

[houstonbofh]

Really? Are you not tired of this yet?

Re:Goatse

[browntulip]

Why should I, :

"Ugh. Goatse. You asshole."
"I hope you die in a fire before you are old enough to contaminate the gene pool."
"Ugh. Goatse. NSFW. Asshole (poster and picture, both)."
"Why the sudden coordinated campaign for Goatse? Is someone making money off this?"
"I did not even bother to look, but this same idiot has been doing this for weeks now. Fuck off asshole."
"Thanks, I'm reading slashdot in class like a good student and just got tubgirl'd."
"you are one dedicated troll."
"Parent should be modded down. Link is NSFW and mentally scarring."
"mod to -1, please. this guy is an 'asshole'.... (yes, you guessed it)"
"Seriously ... new account to post that ... what a douche!"
"Argh. Goatse alert..."
"Oh dear god my eyes. Haven't seen THAT awful image in a while."
"Grow up"
just post the damn url, i'm not going to click on a tinyurl link and get goatse'd or something..
Don't click the link! Goatse wannabe.
Well played, sir. Well played.
Goatse URL - Haven't seen that guy in a while
Doh! One has to also recognize data urls. *sigh*
Someone please mod this guy down... Don't click his link.
nice goatse. i like...
i WAS eating lunch you ass!
Asshole... Ginormous asshole, in fact.
Urgh...dammit, am I the only one thinking the goatse trolls are getting worse lately than they have been in the past five years? Are they gaming the mod system or something?
Really? Are you not tired of this yet?
Another quote in my troll food list.

Re:FAIL - LINK

[houstonbofh]

Day?

Honest question about encryption

[chucklebutte]

Yes its wonderful, but what if a user stores his /home on same partition as OS install (bad I know, but happens) and uses encryption? If the OS crashes how can recovery be done of users data? Is there a way to recover encrypted data on a drive? Or is it a double edge sword kind of thing?

Re:Honest question about encryption

[TangoMargarine]

TrueCrypt doesn't do folders. It makes encrypted volumes that can either be a file, or a partition.

Re:Honest question about encryption

[LilWolf]

As long as you know the pass phrase used for the encryption you can stick a LiveCD in and mount the encrypted partitions. The way it's done depends on what was used for the encryption. Google is your friend for finding a relevant HOWTO ;)

Submission untouched by human hands

[countertrolling]

It's an ad link site.. Turn off your cookies on these guys..

Information that is provided to advertisers consists of aggregate statistics that we collate. This includes geographical and psychographic* information.

When links are submitted to our site, we request that the sender provides us with their real name and email address.

You know the routine..

*Huh??

left out the obvious choice

[jlmsprings]

Doesn't matter if the link is in the post or not. The article left out luks

Re:left out the obvious choice

[93+Escort+Wagon]

Doesn't matter if the link is in the post or not. The article left out luks

No, it didn't.

Trying it now

[ALeader71]

I bought a cheapie netbook. I'm trying this out now with Ubuntu Alternate. Should be interesting on the Atom based piggie.

Re:Trying it now

[peawormsworth]

I bought a cheapie netbook. I'm trying this out now with Ubuntu Alternate. Should be interesting on the Atom based piggie.

I've done what you describe and would like to share my experience. I've been running ubuntu with a luks encrypted root drive on an atom netbook for over a year on several systems. I've installed luks on internal HD's, external HD's, SD cards and USB sticks. Also I did experiment with further encryption of home directories using ecryptfs.

Using luks does slow your computer and each additional level of encryption adds to this delay. I have no real measurements but I could "feel" the lag and estimate it to be 10%. Running ecryptfs on top of luks appeared to cause "brown outs" or times when the netbooks would not respond for about 10-30 seconds. My suggestion is to only use ecryptfs for user home directory encryption if you plan to share this netbook with other users (multiple login accounts)... or you wish to provide a guest account.

But luks is reliable for me so far. I have never run into a situation where luks failed and the drive was unusable. I however, made mistakes like overwriting the keys and such and if that happens to you.. just format the drive, because all is gone. Consider this a lesson and backup your luks keys onto USB and throw into your bank deposit box. luks has never let me down... even during improper shutdown and filesystem corruption, ubuntu is able to check/repair the drive and still access the drive just as you would see on a non-luks encrypted drive. I have also used luks disk encryption at work and never lost any data or was unable to access my drive. At this point I trust a luks partition as much as any other non encrypted partition type.

Funny story: I once showed a bunch of managers how easily I could access their own hard drive data simply by booting from my own Ubuntu USB stick on a computer which was protected by a user password that I didn't know. I expressed how full disk encryption would solve the gaping hole in protecting our business data/resources. They were impressed, but came up with their own solution... they removed the ability to boot from USB in the BIOS settings of all work PC's. At first that sounds ideal except it does nothing to prevent the HD from being moved into another PC and allowing full access to data once again. It made me think these managers were more disturbed by the demonstration and wished to prevent me from showing that how weak our current security policy was then actually fixing the issue properly. Lesson: don't be silly like these managers. Install full disk encryption (luks) and you can be sure your data is safe if/when you lose your netbook.

Temporary files in memory, not encrypted

[loufoque]

see subject.

Re:Temporary files in memory, not encrypted

[TangoMargarine]

I think if you that sentence a verb, it might make a bit more sense.

Re:Temporary files in memory, not encrypted

[loufoque]

it's not unusual for headlines to be verbless.

Re:Temporary files in memory, not encrypted

[TangoMargarine]

But replies to them usually need one in order to be cogent.

Re:Temporary files in memory, not encrypted

[loufoque]

The subject of a message counts as a headline to me.

Re:Temporary files in memory, not encrypted

[TangoMargarine]

Seriously, what the heck were you trying to say? "Since temporary Windows files exist unencrypted in memory, encrypting your data doesn't help much"? You can encrypt your entire system drive with TrueCrypt, though I don't know if that would have any effect on said temp files.

Re:Security?

[dgatwood]

Anyone who keeps any of the following on his/her laptop:

• Government secrets
• Corporate secrets
• Any documents with a social security number or other information that could be used for identity theft (e.g. tax documents)
• Bank account numbers or passwords
• Credit card numbers or account passwords
• Other account passwords that could be used to impersonate you (and implicate you)

Remember: identity theft is an equal opportunity crime. Identity thieves don't care if you are rich, poor, man, woman, famous, or obscure.

Re:I recommend encrypting disks

[MacTO]

I usually recommend the opposite. There are cases where encryption is necessary because confidential data is being handled. The flip side is that full disk encryption makes it difficult, if not impossible, to recover data from corrupt file systems or failing hard drives.

OS X Corollary?

[Dingo.Neal]

Anyone care to suggest their top five for OS X? Slap me if that's already covered in another post. - DX

Re:OS X Corollary?

[ogl_codemonkey]

System Preferences -> Security -> FileVault

Turn it on.

Re:OS X Corollary?

[Voline]

If you're worried that a proprietary framework might be compromised by the Government threatening/bribing Apple into implementing a back door ...

"We can make that FCC investigation into the back-dating of executive stock options go away, Mr Jobs. If you'll cooperate with the government ..."

... or you just want a solution that works better with Time Machine than FileVault does, here is a How-To on getting EncFS full-disk encrytion working on Mac OS X.

Nota bene: I have not tried this yet myself.

Re:OS X Corollary?

[GCsoftware]

Erm, even the author of that states that these issues are now fixed with Snow Leopard and recommends against using EncFS on OS X.

Also, you can't use EncFS on your whole home dir as it doesn't support some extended attributes that OS X relies on.

Re:OS X Corollary?

[Cybersonic]

I agree that you might need to look at a proprietary solution for OSX.

PGP (now owned by Symantec) and Guardian Edge (also owned by Symantec) would work.

Pointsec (now owned by Check Point) also supports OSX.

Re:I recommend encrypting disks

[Black+Parrot]

I usually recommend the opposite. There are cases where encryption is necessary because confidential data is being handled. The flip side is that full disk encryption makes it difficult, if not impossible, to recover data from corrupt file systems or failing hard drives.

I recommend instead making regular backups to a separate disk, also encrypted.

Re:Security?

[Baseclass]

You're missing the point. whether or not my data is worth compromising (which I whole heatedly believe that it is), is irrelevant.
Setting aside the fact that I may have cached passwords and financial information stored on my hard drive, the fourth amendment
is meant to guard against unreasonable searches and seizures. Since the US government has chosen to ignore the constitution, I believe that a "better safe than sorry" approach is quite prudent to say the least. You might want to check if you're currently located in a Constitution Free Zone as well.

Re:I recommend encrypting disks

[MikeBabcock]

Backups are a better solution than disk recovery.

I don't recover disks anymore, we just reformat and reinstall for everything these days. I can reinstall a Linux box in under an hour and a Windows machine in a bit more. Restoring from backups is simple enough after that.

I don't want data on the drives to be recoverable, because it may not be me doing the recovering.

x x x x

[metrix007]

xxxxxxxxxxxxx

incomplete list - bitvisor not mentioned

[OrangeTide]

BitVisor is open sourced (BSD licensed). It can provide both disk encryption and transparent VPN/IPsec support to multiple OSes (Win, Linux, ...)

It's a little annoying when people try to make definitive lists, but don't include rather popular options on their list. Do list makers not have Google?

Re:incomplete list - bitvisor not mentioned

[OrangeTide]

Your loss then. It is open source and very well written. It has been mentioned in numerous places before, including on Slashdot. It's often used as a testing ground for security experiments along with Xen. Probably because the code for BitVisor is simpler and easier to hack.

For those who are venerating TrueCrypt: Not Safe

[garompeta]

Whole disk encryption has a side-channel cracking, which is very trivial.
http://en.wikipedia.org/wiki/Cold_boot_attack
http://it.tmcnet.com/news/2010/03/30/4700389.htm
ANY WHOLE HARD DRIVE ENCRYPTION IS PRONE TO A SIDE-CHANNEL ATTACK.

Always links

[moyang]

just some links with ads

Re:I recommend encrypting disks

[Gordonjcp]

You should encrypt the disks on every computer.

What, even when it's massively inappropriate to do so? I can't think of any circumstances under which I'd ever use even FS encryption, never mind full-disk encryption. Disks are slow enough as it is.

Re:Security?

[1s44c]

From who? And for what? Why would anyone think their data is so important that anyone else would want it and that it needs encrypting?

I think my bank account numbers and banking passwords should be kept secret.

I also have a duty to protect any passwords or authentication keys I was trusted with to other people's systems. In fact that one is a condition of employment.

Re:For those who are venerating TrueCrypt: Not Saf

[rainsford]

Those attacks also work just as well on ANY encryption product, it is not a weakness specific to Truecrypt or any other whole disk encryption program. Being able to read RAM through firewire or read old values after the computer is turned off and back on is a fundamental weakness of modern computer systems that encryption software can't really solve.

Re:For those who are venerating TrueCrypt: Not Saf

[garompeta]

Precisely the reason I put the emphasis on ANY.
But the Passware forensic tool is focused on Truecrypt and Bitlocker Whole Disk Encryption... and it is so trivial that even a trained monkey could do it (aka. IT guy)

Tool no good for corporate use - Personal use only

[collinl]

These tools are fine for personal use - but not easily adapted to corporate use e.g. PCI DSS. Mandatory requirements for PCI DSS include key management under dual control and split knowledge.
As such, commercial tools still rule in the storage encryption space.
And I'm no programmer, so I can't resolve these shortcomings.
lyalc

You ARE important

[samjam]

You are important - once you've been tortured - then your freedom and even life is very embarrassing.

It only takes one idiot with an itchy torture finger and then they can never afford to let you go.

Interesting technological support

[born2befrag]

We all know that from a technological point of view we should be satisfied. But don't you think we should spend some time in "spreading the word" and teach people that encryption should be considered in our life as a concept? Until we don't let people understand how important encryption is, all those tools out there will just waste space on hard drives. I think the culture of encrypting documents and communication in general is missing. Until we don't have that culture all the technology that already solves the problem is useless... or better... unused.