Comparison of disk encryption software
This is a technical feature comparison of different disk encryption software.
Features
Hidden containers: Whether hidden containers within another encrypted container can be created for deniable encryption. Note that some modes of operation like CBC with a plain IV can be more prone to watermarking attacks than others.Pre-boot authentication: Whether authentication can be required before booting the computer, thus allowing one to encrypt the boot disk.Single sign-on: Whether credentials provided during pre-boot authentication will automatically log the user into the host operating system, thus preventing password fatigue and reducing the need to remember multiple passwords.Custom authentication: Whether custom authentication mechanisms can be implemented with third-party applications.Multiple keys: Whether an encrypted volume can have more than one active key.Passphrase strengthening: Whether key strengthening is used with plain text passwords to frustrate dictionary attacks, usually using PBKDF2 or Argon2.Hardware acceleration: Whether dedicated cryptographic accelerator expansion cards can be taken advantage of.Trusted Platform Module: Whether the implementation can use a TPM cryptoprocessor.Filesystems: What filesystems are supported.Two-factor authentication: Whether optional security tokens are supported| Name | Hidden containers | Pre-boot authentication | Single sign-on | Custom authentication | Multiple keys | Passphrase strengthening | Hardware acceleration | TPM | Filesystems | Two-factor authentication |
| Aloaha Secure Stick | ||||||||||
| ArchiCrypt Live | ||||||||||
| BestCrypt | ||||||||||
| BitArmor DataControl | ||||||||||
| BitLocker | ||||||||||
| Bloombase StoreSafe | ||||||||||
| CGD | ||||||||||
| CenterTools DriveLock | ||||||||||
| Check Point Full Disk Encryption | ||||||||||
| CipherShed | ||||||||||
| CryFS | ||||||||||
| CrossCrypt | ||||||||||
| CryptArchiver | ||||||||||
| Cryptic Disk | ||||||||||
| Cryhod | ||||||||||
| Cryptoloop | ||||||||||
| Cryptomator | ||||||||||
| CryptoPro Secure Disk Enterprise | ||||||||||
| CryptoPro Secure Disk for BitLocker | ||||||||||
| Cryptsetup / Dmsetup | ||||||||||
| DiskCryptor | ||||||||||
| DISK Protect | ||||||||||
| Dm-crypt / LUKS | ||||||||||
| DriveSentry GoAnywhere 2 | ||||||||||
| E4M | ||||||||||
| e-Capsule Private Safe | ||||||||||
| eCryptfs | ||||||||||
| EgoSecure HDD Encryption | ||||||||||
| EncryptUSB | ||||||||||
| FileVault | ? | |||||||||
| FileVault 2 | ||||||||||
| FREE CompuSec | ||||||||||
| FreeOTFE | ||||||||||
| GBDE | ||||||||||
| GELI | ||||||||||
| Loop-AES | ||||||||||
| McAfee Drive Encryption | ||||||||||
| n-Crypt Pro | ||||||||||
| PGPDisk | ||||||||||
| Private Disk | ||||||||||
| ProxyCrypt | ||||||||||
| R-Crypto | ||||||||||
| SafeGuard Easy | ||||||||||
| SafeGuard Enterprise | ||||||||||
| SafeGuard PrivateDisk | ||||||||||
| SafeHouse Professional | ||||||||||
| Scramdisk | ||||||||||
| Scramdisk 4 Linux | ||||||||||
| SecuBox | ||||||||||
| SecureDoc | ||||||||||
| Seqrite Encryption Manager | ||||||||||
| Sentry 2020 | ||||||||||
| Softraid / RAID C | ||||||||||
| Svnd / Vnconfig | ||||||||||
| Symantec Endpoint Encryption | ||||||||||
| Trend Micro Endpoint Encryption | ||||||||||
| TrueCrypt | ||||||||||
| VeraCrypt | ||||||||||
| CyberSafe Top Secret | ||||||||||
| Name | Hidden containers | Pre-boot authentication | Single sign-on | Custom authentication | Multiple keys | Passphrase strengthening | Hardware acceleration | TPM | Filesystems | Two-factor authentication |
Layering
Whole disk: Whether the whole physical disk or logical volume can be encrypted, including the partition tables and master boot record. Note that this does not imply that the encrypted disk can be used as the boot disk itself; refer to pre-boot authentication in the features comparison table.Partition: Whether individual disk partitions can be encrypted.File: Whether the encrypted container can be stored in a file.Swap space: Whether the swap space can be encrypted individually/explicitly.Hibernation file: Whether the hibernation file is encrypted.| Name | Whole disk | Partition | File | Swap space | Hibernation file | RAID |
| Aloaha Secure Stick | ||||||
| ArchiCrypt Live | ||||||
| BestCrypt | ||||||
| BitArmor DataControl | ||||||
| BitLocker | ||||||
| Bloombase StoreSafe | ||||||
| CenterTools DriveLock | ||||||
| CGD | ||||||
| Check Point Full Disk Encryption | ||||||
| CipherShed | ||||||
| CrossCrypt | ||||||
| CryFS | ||||||
| CryptArchiver | ||||||
| Cryptic Disk | ||||||
| Cryhod | ||||||
| Cryptoloop | ||||||
| Cryptomill | ||||||
| CryptoPro Secure Disk Enterprise | ||||||
| CryptoPro Secure Disk for BitLocker | ||||||
| DiskCryptor | ||||||
| Disk Protect | ||||||
| Dm-crypt / LUKS | ||||||
| DriveSentry GoAnywhere 2 | ||||||
| E4M | ||||||
| e-Capsule Private Safe | ||||||
| eCryptfs | ||||||
| EgoSecure HDD Encryption | ||||||
| EncryptUSB | ||||||
| FileVault | - | |||||
| FileVault 2 | ||||||
| FREE CompuSec | ||||||
| FreeOTFE | ||||||
| GBDE | ||||||
| GELI | ||||||
| Loop-AES | ||||||
| McAfee Drive Encryption | ||||||
| n-Crypt Pro | ||||||
| PGPDisk | ||||||
| Private Disk | ||||||
| ProxyCrypt | ||||||
| R-Crypto | ||||||
| SafeGuard Easy | ||||||
| SafeGuard Enterprise | ||||||
| SafeGuard PrivateDisk | ||||||
| SafeHouse Professional | ||||||
| Scramdisk | ||||||
| Scramdisk 4 Linux | ||||||
| SecuBox | ||||||
| Sentry 2020 | ||||||
| Seqrite Encryption Manager | ||||||
| Softraid / RAID C | ||||||
| Svnd / Vnconfig | ||||||
| SpyProof! | ||||||
| Symantec Endpoint Encryption | ||||||
| Trend Micro Endpoint Encryption | ||||||
| TrueCrypt | ||||||
| VeraCrypt | ||||||
| CyberSafe Top Secret | ||||||
| Name | Whole disk | Partition | File | Swap space | Hibernation file | RAID |
Modes of operation
Different modes of operation supported by the software. Note that an encrypted volume can only use one mode of operation.CBC with predictable IVs: The CBC mode where initialization vectors are statically derived from the sector number and are not secret; this means that IVs are re-used when overwriting a sector and the vectors can easily be guessed by an attacker, leading to watermarking attacks.CBC with secret IVs: The CBC mode where initialization vectors are statically derived from the encryption key and sector number. The IVs are secret, but they are re-used with overwrites. Methods for this include ESSIV and encrypted sector numbers.CBC with random per-sector keys: The CBC mode where random keys are generated for each sector when it is written to, thus does not exhibit the typical weaknesses of CBC with re-used initialization vectors. The individual sector keys are stored on disk and encrypted with a master key. LRW: The Liskov-Rivest-Wagner tweakable narrow-block mode, a mode of operation specifically designed for disk encryption. Superseded by the more secure XTS mode due to security concerns.XTS: XEX-based Tweaked CodeBook mode with CipherText Stealing, the SISWG standard for disk encryption.Authenticated encryption: Protection against ciphertext modification by an attacker| Name | CBC w/ predictable IVs | CBC w/ secret IVs | CBC w/ random per-sector keys | LRW | XTS | Authenticated encryption |
| Aloaha Crypt Disk | ||||||
| ArchiCrypt Live | ||||||
| BestCrypt | ||||||
| BitArmor DataControl | ||||||
| BitLocker | ||||||
| Bloombase StoreSafe | ||||||
| CGD | ||||||
| CenterTools DriveLock | ||||||
| Check Point Full Disk Encryption | ||||||
| CipherShed | ||||||
| CrossCrypt | ||||||
| CryFS | ||||||
| CryptArchiver | ||||||
| Cryptic Disk | ||||||
| Cryhod | ||||||
| Cryptoloop | ||||||
| DiskCryptor | ||||||
| Dm-crypt / LUKS | ||||||
| DriveSentry GoAnywhere 2 | ||||||
| E4M | ||||||
| e-Capsule Private Safe | ||||||
| eCryptfs | ||||||
| EgoSecure HDD Encryption | ||||||
| FileVault | ||||||
| FileVault 2 | ||||||
| FREE CompuSec | ||||||
| FreeOTFE | ||||||
| GBDE | ||||||
| GELI | ||||||
| Loop-AES | ||||||
| McAfee Drive Encryption | ||||||
| n-Crypt Pro | ||||||
| PGPDisk | ||||||
| Private Disk | ||||||
| ProxyCrypt | ||||||
| R-Crypto | ||||||
| SafeGuard Easy | ||||||
| SafeGuard Enterprise | ||||||
| SafeGuard PrivateDisk | ||||||
| SafeHouse Professional | ||||||
| Scramdisk | ||||||
| Scramdisk 4 Linux | ||||||
| SecuBox | ||||||
| SecureDoc | ||||||
| Sentry 2020 | ||||||
| Seqrite Encryption Manager | ||||||
| Softraid / RAID C | ||||||
| Svnd / Vnconfig | ||||||
| Symantec Endpoint Encryption | ||||||
| TrueCrypt | ||||||
| USBCrypt | ||||||
| VeraCrypt | ||||||
| CyberSafe Top Secret | ||||||
| Name | CBC w/ predictable IVs | CBC w/ secret IVs | CBC w/ random per-sector keys | LRW | XTS | Authenticated encryption |