~/tools/encryption

Encryption

last updated 2026-06-17 · 3 recommendations · what changed

Full-disk and container encryption means a lost or stolen device is a hardware loss, not a data breach. This page covers encrypting drives and files at rest, not cloud-sync encryption, which lives on the Cloud Storage page.

before you pick Encryption is only as strong as the passphrase protecting it, and it only protects data at rest: a powered-on, unlocked machine is readable by anyone with access to it. Pick a tool you'll actually keep enabled; an encrypted drive you disable after one annoying prompt protects nothing.

what actually matters

open source / auditability

Encryption you can't inspect is encryption you're trusting blind. Open code and independent audits are how "secure" gets verified instead of asserted.

cross-platform support

Drives and containers get plugged into other machines. A format locked to one OS is a format you'll fight with eventually.

plausible deniability / hidden volumes

Not every threat model needs it, but where coercion is plausible, the ability to reveal a decoy volume (not just refuse a password) matters.

recommendations

VeraCrypt

the default pick
open sourceauditedwindows/macos/linuxhidden volumesfree

The successor to TrueCrypt and the obvious default: open source, independently audited, and available on Windows, macOS, and Linux with the same container and full-disk encryption options on each. Supports hidden volumes: a decoy password reveals an innocuous volume while the real data sits in a separate, deniable container. Mature, well-documented, and actively maintained since it picked up where TrueCrypt's abrupt 2014 shutdown left off.

good
  • Open source with a completed independent security audit
  • Full-disk, partition, and container encryption on every major OS
  • Hidden volumes for genuine plausible deniability
  • No subscription, no account, no telemetry
mind the
  • Interface is dated and unforgiving of mistakes: read before you click
  • No mobile apps; reading a VeraCrypt volume on a phone is awkward at best
  • Boot-time full-disk encryption setup is unforgiving if interrupted
free, open source veracrypt.fr →

LUKS

the linux-native pick
linux unified key setupopen sourceinstaller-integratedfree

Linux's native disk-encryption standard, built into the kernel's dm-crypt subsystem and offered by nearly every distro installer as a checkbox during setup. There's no separate app to install or trust: it's the encryption you already get by ticking "encrypt my drive" when you install Ubuntu, Fedora, or most anything else. Open source, widely deployed, and battle-tested across the entire Linux ecosystem.

good
  • Built into the kernel: no third-party trust required
  • One checkbox at install time on most distros
  • Open source and extremely widely deployed
  • Supports multiple key slots: several passphrases for one volume
mind the
  • Linux-only: no native Windows or macOS support
  • No plausible-deniability story; a LUKS header is identifiable as such
  • TPM-bound auto-unlock (e.g. Clevis) can be defeated via physical TPM-bus sniffing on some hardware; a plain passphrase unlock isn't affected
  • Recovery requires care: losing the header or all key slots means the data is gone
free, built in cryptsetup →

BitLocker

the windows pick, with caveats
windows onlyclosed sourcebuilt inmicrosoft-controlledfree with pro/enterprise

The built-in option on Windows, and a real improvement over an unencrypted drive, but it comes with caveats worth stating plainly. It's closed source, so its internals can't be independently verified the way VeraCrypt's can, and the whole thing is controlled by Microsoft end to end. The bigger catch: on Home edition, what you typically get is "device encryption," which by default escrows your recovery key to your Microsoft account, meaning Microsoft (and anyone who compels or breaches Microsoft) holds a copy of the key. Full BitLocker with local-only key control needs Pro or Enterprise.

good
  • Already on the machine: zero install, zero cost on Pro/Enterprise
  • Tight OS integration; TPM-backed unlock with no daily friction
  • Manageable at scale via Active Directory/Intune for organizations
mind the
  • Closed source: no independent way to verify the implementation
  • Home edition's device encryption escrows your key to a Microsoft account by default
  • Full control over key storage requires Pro/Enterprise, not Home
  • No plausible deniability and no cross-platform volumes
free with Windows Pro/Enterprise microsoft support →

at a glance

toolplatformopen sourceauditedease of setup
VeraCryptWindows / macOS / Linuxyesyesmedium
LUKSLinuxyeswidely reviewedlow (installer checkbox)
BitLockerWindowsnono independent auditlow (built in)

"ease of setup" assumes a typical desktop install, not enterprise key management.

worth knowing

This page is about local, at-rest encryption. Encrypting a drive or container that lives on your own hardware. For encrypting files you keep in a third-party cloud (Dropbox, Google Drive, and similar) see Cloud Storage & Sync, where a client-side encryption layer like Cryptomator belongs and is covered in full.

Encryption only protects a powered-off or locked device. Once a drive is unlocked and the machine is running, the data is as exposed as it would be unencrypted. Pair full-disk encryption with a screen lock and a short auto-lock timeout.

Write down your recovery key somewhere durable. A forgotten passphrase with no recovery key is functionally the same as a drive failure: the data is gone. Store it offline, away from the device it unlocks.

Hidden volumes only work if you never mount the hidden one carelessly. Filesystem timestamps and OS-level traces can undermine deniability if the hidden volume is opened on a system that logs activity. If this matters to your threat model, it matters enough to read VeraCrypt's documentation on it in full.