Top 10 file and disk encryption tools for Linux

Data security and privacy have never been more critical for individuals, businesses, and organizations. However, there is no one-fit-all solution for data privacy. One solution is to encrypt your data, files, or disk drive.

Our article by Pulkit Chandak demonstrates some of the best ways to encrypt files in Linux. It illustrates reliable ways to encrypt files using GnuPG, ccrypt, 7-zip, VeraCrypt, and Tails OS. This article highlights more open source tools to create file vaults and encrypt and decrypt disk drives. It will also demonstrate how to create an encrypted file vault in a scenario where you do not want to encrypt your entire disk drive.

File and disk encryption tools for Linux


Linux Unified Key Setup (LUKS) is one of the best disk encryption tools on Linux. It was developed in 2004 by Clemens Fruhwirth. LUKS focuses on core Linux functions that envisage an independent platform standard on disc format for using different tools.
LUKS works interactively with other programs, enabling all execution password management to be secured. It includes updated features of cryptsetup and uses dm-crypt to encrypt the disk.

Key features of LUKS
  • It provides the standard of hard disc encryption on Linux platforms.
  • It provides secure user password management with compatibility for distributors.
  • Setup information is stored in headers of partitions that prompt seamless information flow.
  • It is one of the best disk encryption software against low entropy attacks.

Create an encrypted file vault with LUKS

A vault is ideal for working across several platforms, even those that might not have Linux Unified Key Setup (LUKS) integration. You can also use it for cloud storage if you do not use a physical drive for all your data storage.
You can use LUKS and cryptsetup to create an encrypted vault as a self-contained file. You can then save it on a physical drive or in your cloud storage.

Step 1: Create an empty vault file

Create an empty file of a predetermined size depending on your storage requirements. The file serves as a kind of vault to store other files.
Use the following command to create a 1024MB file.

$ dd if=/dev/urandom of=fossvaultfile.img bs=1M count=1024

Using the option /dev/urandom as the source of filler data ensures that a hexdump cannot distinguish actual data from an empty space.

Step 2: Create a LUKS volume
Use the following command to create a LUKS volume within the empty vault file (fossvaultfile.img).

$ cryptsetup --verify-passphrase \
luksFormat fossvaultfile.img

Step 3: Open the LUKS volume
Open the LUKS volume and mount it to create a filesystem ready for file storage.

$ sudo cryptsetup open \
--type luks fossvaultfile.img fosslinuxvault
$ ls /dev/mapper

Step 4: Create a file system
Use the following to make a filesystem in your open vault (fosslinuxvault).

$ sudo mkfs.ext4 -L fosslinuxvault /dev/mapper/ fosslinuxvault

You can close the vault with the following command:

$ sudo cryptsetup close fosslinuxvault

Step 5: Use the encrypted vault
To access your vault, mount it as a usable filesystem with the following command:

$ sudo cryptsetup open \
--type luks fossvaultfile.img fosslinuxvault
$ ls /dev/mapper
$ sudo mkdir /fosslinuxvault
$ sudo mount /dev/mapper/fosslinuxvault /fosslinuxvault

The command above opens the vault with cryptsetup and then mounts the vault from /dev/mapper to a new directory called /fosslinuxvault. You can mount the LUKS volume anywhere you want. For instance, instead of /fosslinuxvault, you can use /mnt or ~/fosslinuxvault or any name you prefer.

While it’s mounted, a LUKS volume is decrypted. It allows you to read and write files to it.

You can unmount and close the encrypted vault with the following commands:

$ sudo umount /fosslinuxvault
$ sudo cryptsetup close fosslinuxvault

Luks provides an easy encryption solution for improved data safety. Image files you encrypt with LUKS are as portable as any other file. As such, you can store a vault on your hard drive, an external drive, or the internet. You can then use LUKS to decrypt, mount, and keep your data safe.

2. Gostcrypt

Gostcrypt is a free, open-source disk encryption software. It was released at the end of 2013 as a fork of the TrueCrypt project. Gostcrypt implements 256-bit keys for encryption or decryption. Moreover, the 256-bit keys are internally divided into 8, 32-bit subkeys. This makes GOST 28147-89 a reliable solution to encrypt or decrypt your data.

Key features of Gostcrypt
  • It uses an asymmetric encryption algorithm to encrypt data; it generates public and private keys during encryption.
  • It produces an extension with an encrypted file that provides better file protection.
  • It provides encryption notification text messages on your desktop.

3. Node.js

Node.js is an open-source run-time environment that applies Javascript code externally to a browser. You can use it as encryption software in your Linux system. Node.js allows web developers to encode javascript and write commands to server-side scripting. Web developers consider it one of the best encryption software as it facilitates developers to create dynamic web pages before deploying to a production environment.

Essentially, Node.js delegates a javascript everywhere paradigm to unify the web features with a single programming language. Despite having the standard filename extension for javascript code, it necessarily does not refer to the specific files in this regard.

Key features of Node.js encryption
  • You can perform cryptographic operations on strings, buffer, and streams.
  • js includes the crypto library that you can use to manage cryptographic operations on data.

However, one drawback when installed manually is that the crypto library might not be shipped with Node.js.

4. Cryptmount

Cryptmount is a free, open-source, user-friendly file encryption tool. It enables users to encrypt a specific filing system and does not require superuser privileges. Moreover, a superuser can generate an entirely new encrypted file system with many configuration options. After configuring the initial filing system, a non-root user needs to provide the decryption password to access the filing system. It clears the way for cryptmount to configure the device mapper automatically. The devmapper mechanism prompts frequent users to access the encrypted file filesystem when needed.

Key features of Cryptmount
  • It provides an interactive setup script to encrypt the filesystem effectively.
  • You can generate more than one encrypted filesystem in a single disc partition. The filesystem is configured automatically at system boot-up.
  • You can create a required filesystem without the superuser privileges that enable a non-root user to access the file system data.


TOMB is a free, open-source tool regarded as one of the best file encryption software available for Linux systems. It is written with code that makes it easy to review and enhance commonly shared components.

The authentication system allows you to generate encrypted files that you can close or open by applying their associated files. The files are protected with users’ passwords. TOMB is a secured file encryption tool that can be protected and transported with a file system since keys can be kept in a discrete file. For example, you can store tomb files in a computer hard disc, whereas keys can be preserved on a portable USB stick.

Key features of TOMB
  • The tool features a simple shell script that you can download for FREE.
  • It is user-friendly ideal for beginners.
  • It is written in readable code.
  • It requires root access. You can use it from the terminal command line.
  • It facilitates sound function. In essence, you can store its software and keys in physically distinct files.

6. EncFS

EncFS is an open-source, user-friendly file encryption software that you can use on any Linux distro. EncFS works as follows; data get stored in the rootdir directory through a virtual file system. The mount point list then makes the unencrypted data available for users to visualize. Moreover, you must provide a password to encrypt the file contents along with the file names simultaneously.

EncFS works distinctly. For example, if it cannot track the supported file system at a specific rootdir directory, it will suggest you generate a new file system at that particular file space. It also includes several options for the users to configure the tool.

Key features of EncFS
  • It features FUSE that you can use to collaborate between an encrypted directory and another directory.
  • You do not necessarily require root privileges to implement file encryption using the tool; in essence, you can also use encrypted repository files.
  • It features a different loopback system from other competitive systems.
  • It can work on any existing file system. Moreover, you do not have to generate any file system or file within it.

7. Dm-crypt

Dm-crypt is an open-source and transparent disk encryption subsystem tool for the Linux kernel and Dragonfly BSD. It is part of the device-mapper infrastructure, and it uses cryptographic routine from the kernels crypto API. It was created to underpin advanced operation formats like XTS, LRW, and ESSIV to impasse the shadow attack. It also addresses some reliability issues of cryptoloop.
Moreover, its device-mapper target is stored in in-kernel space as it works to encrypt the block device. However, if necessary, it does not transform any data itself.

Key features of dm-crypt
  • It only works in transparent encryption of virtual block devices that allows a large amount of flexibility.
  • You can configure it to allow pre-boot authentication by an initrd to facilitate encryption of the entire data on a hard drive.

One caveat is that dm-crypt is also vulnerable to watermarking attacks, while cipher block chaining is used with other disk encryption software.

8. Cryptsetup

Cryptsetup is an open-source file encryption utility. You can use it as a command-line tool to confederate with dm-crypt to access, create, and manage encrypted devices. Moreover, you can expand its functionality to assist various encryption types dependent on the cryptographic module and the Linux kernel device-mapper.
It works with Linux Unified Key Setup (LUKS) expansion, where the required setup information is stored on the computer disk itself. This setup creates seamless usage through virtual partitions and critical management. When you access a device through the device-mapper, it is called a block device.

Key features of Cryptsetup
  • An encrypted block device is secured with a passphrase key or a key file.
  • The LUKS default encryption format is required to form a new LUKS device with default parameters.
  • You can create a device with the LUKS format with cryptsetup in a new dm-crypt device and the LUKS encryption format.
  • You can use it to generate a filesystem to encrypt data accessible with the device-mapper name.

9. Cryptomator

Cryptomator is an open-source file encryption software designed to protect files in cloud platforms such as Dropbox, One Drive, Google Drive, and many more. For it to work, the local system drive is encrypted with a cryptomator, and then it is synchronized with the cloud.

Cryptomator makes data readable to authorized users only. One of its best features is the virtual hard drive that contains all data in a specific folder of the cloud folder. It can create a virtual hard drive that can be accessed just like a USB flash drive.

Key features of Cryptomator
  • It uses AES (advanced encryption standard) format to encrypt the data in the cloud.
  • It uses a passphrase to secure data from attacks like brute force.
    Data in virtual drives called vaults is encrypted and protected with a passphrase.
  • You can generate a master key in the vault folder to secure data when you create a folder.

10. CryFS

CryFS is open source and one of the best file encryption software for Linux. However, you can only use it to encrypt file contents. It has been designed for directory structure, metadata, and file size confidentiality. CryFS creates the same size contents file blocks and encrypts the whole block simultaneously and individually. It uses the base directory you are working on to store all the encrypted files and uses random IDs is as file names.

Once you synchronize the base directory, you can set up a connection with cloud providers like Dropbox, One Drive, and many more. In case of an attack, a hacker might be able to see the base directory; however, the files size, metadata, and directory structure of your data will not be visible.

Key features of CryFS
  • A configuration file is used to encrypt and protect files. Moreover, a user’s chosen password is applied along with integrity checks.
  • The configuration file is located in the file directory along with the information CryFS requires to decrypt it.
  • The configuration files get encrypted twice using aes-256-gcm and a user’s chosen password. In addition, CryFS prompts inner and outer keys that impasse attackers very effectively.

BONUS ENTRY: Scramdisk4 Linux

Scramdisk 4 Linux is an open-source file encryption tool designed with a focus on the Linux platform. It makes it one of the most suitable tools to encrypt files in your Linux distro. Scramdisk4 includes additional features like a graphical user interface (GUI) that makes it easy to manage and access the scramdisck container files.

Scramdisck encrypts a partition on the storage media or hard disc like a USB stick entirely as a device. It is compiled with the Linux kernel driver scramdisk, GUI scram disc, ko, and other command-line utilities.

Key features of Scramdisk4
  • ScramDisck 4 is a free, open-source file encryption tool.
  • It features an on-the-fly encryption format that secures an entire file system within the regular encrypted file or the container.
  • It is designed to protect the driver on Linux by encrypting data to protect it from brute-attacks.
  • You can easily configure and change your passphrase using the change button.

Wrapping up

Like with any other resource, Linux has multiple tools and OS to encrypt your disk drive or data. I have found the LUKS tool to be very flexible. Note that any image file you encrypt with LUKS is as portable as any other file. You can store files in a vault or dump them to a hard drive, an external drive, or the cloud.

Feel free to suggest more tools you have had experience with encrypting drives or files.


Related Articles


Please enter your comment!
Please enter your name here


More Articles Like This