Git-Mirrors/privacyguides.org
1
0
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2024-07-01 17:11:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Convert Encryption to HTML admonitions (#2400)

Browse Source 
Signed-off-by: Daniel Gray <dngray@privacyguides.org>
This commit is contained in:
rollsicecream 2024-02-11 04:29:54 +00:00 committed by Daniel Gray
parent cd4181a7fc
commit 8e3bd2589e
No known key found for this signature in database
GPG Key ID: 41911F722B0F9AE3
1 changed files with 238 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
docs/encryption.md
View File

@ -13,7 +13,7 @@ The options listed here are multi-platform and great for creating encrypted back
### Cryptomator (Cloud)
!!! recommendation
<div class="admonition recommendation" markdown>
![Cryptomator logo](assets/img/encryption-software/cryptomator.svg){ align=right }
@ -25,7 +25,8 @@ The options listed here are multi-platform and great for creating encrypted back
[:octicons-code-16:](https://github.com/cryptomator){ .card-link title="Source Code" }
[:octicons-heart-16:](https://cryptomator.org/donate/){ .card-link title=Contribute }
??? downloads
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.cryptomator)
- [:simple-appstore: App Store](https://apps.apple.com/us/app/cryptomator-2/id1560822163)
@ -35,6 +36,10 @@ The options listed here are multi-platform and great for creating encrypted back
- [:simple-linux: Linux](https://cryptomator.org/downloads)
- [:simple-flathub: Flathub](https://flathub.org/apps/details/org.cryptomator.Cryptomator)
</details>
</div>
Cryptomator uses AES-256 encryption to encrypt both files and filenames. Cryptomator cannot encrypt metadata such as access, modification, and creation timestamps, nor the number and size of files and folders.
Some Cryptomator cryptographic libraries have been [audited](https://community.cryptomator.org/t/has-there-been-a-security-review-audit-of-cryptomator/44) by Cure53. The scope of the audited libraries includes: [cryptolib](https://github.com/cryptomator/cryptolib), [cryptofs](https://github.com/cryptomator/cryptofs), [siv-mode](https://github.com/cryptomator/siv-mode) and [cryptomator-objc-cryptor](https://github.com/cryptomator/cryptomator-objc-cryptor). The audit did not extend to [cryptolib-swift](https://github.com/cryptomator/cryptolib-swift), which is a library used by Cryptomator for iOS.
@ -43,7 +48,7 @@ Cryptomator's documentation details its intended [security target](https://docs.
### Picocrypt (File)
!!! recommendation
<div class="admonition recommendation" markdown>
![Picocrypt logo](assets/img/encryption-software/picocrypt.svg){ align=right }
@ -53,15 +58,20 @@ Cryptomator's documentation details its intended [security target](https://docs.
[:octicons-code-16:](https://github.com/HACKERALERT/Picocrypt){ .card-link title="Source Code" }
[:octicons-heart-16:](https://opencollective.com/picocrypt){ .card-link title=Contribute }
??? downloads
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-windows11: Windows](https://github.com/HACKERALERT/Picocrypt/releases)
- [:simple-apple: macOS](https://github.com/HACKERALERT/Picocrypt/releases)
- [:simple-linux: Linux](https://github.com/HACKERALERT/Picocrypt/releases)
</details>
</div>
### VeraCrypt (Disk)
!!! recommendation
<div class="admonition recommendation" markdown>
![VeraCrypt logo](assets/img/encryption-software/veracrypt.svg#only-light){ align=right }
![VeraCrypt logo](assets/img/encryption-software/veracrypt-dark.svg#only-dark){ align=right }
@ -73,12 +83,17 @@ Cryptomator's documentation details its intended [security target](https://docs.
[:octicons-code-16:](https://veracrypt.fr/code/){ .card-link title="Source Code" }
[:octicons-heart-16:](https://veracrypt.fr/en/Donation.html){ .card-link title=Contribute }
??? downloads
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-windows11: Windows](https://www.veracrypt.fr/en/Downloads.html)
- [:simple-apple: macOS](https://www.veracrypt.fr/en/Downloads.html)
- [:simple-linux: Linux](https://www.veracrypt.fr/en/Downloads.html)
</details>
</div>
VeraCrypt is a fork of the discontinued TrueCrypt project. According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
When encrypting with VeraCrypt, you have the option to select from different [hash functions](https://en.wikipedia.org/wiki/VeraCrypt#Encryption_scheme). We suggest you **only** select [SHA-512](https://en.wikipedia.org/wiki/SHA-512) and stick to the [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) block cipher.
@ -91,7 +106,7 @@ For encrypting the drive your operating system boots from, we generally recommen
### BitLocker
!!! recommendation
<div class="admonition recommendation" markdown>
![BitLocker logo](assets/img/encryption-software/bitlocker.png){ align=right }
@ -99,49 +114,53 @@ For encrypting the drive your operating system boots from, we generally recommen
[:octicons-info-16:](https://docs.microsoft.com/en-us/windows/security/information-protection/BitLocker/BitLocker-overview){ .card-link title=Documentation}
</details>
</div>
BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838) on Pro, Enterprise and Education editions of Windows. It can be enabled on Home editions provided that they meet the prerequisites.
??? example "Enabling BitLocker on Windows Home"
<details class="example" markdown>
<summary>Enabling BitLocker on Windows Home</summary>
To enable BitLocker on "Home" editions of Windows, you must have partitions formatted with a [GUID Partition Table](https://en.wikipedia.org/wiki/GUID_Partition_Table) and have a dedicated TPM (v1.2, 2.0+) module. You may need to [disable the non-Bitlocker "Device encryption" functionality](https://discuss.privacyguides.net/t/enabling-bitlocker-on-the-windows-11-home-edition/13303/5) (which is inferior because it sends your recovery key to Microsoft's servers) if it is enabled on your device already before following this guide.
1. Open a command prompt and check your drive's partition table format with the following command. You should see "**GPT**" listed under "Partition Style":
```
```powershell
powershell Get-Disk
```
2. Run this command (in an admin command prompt) to check your TPM version. You should see `2.0` or `1.2` listed next to `SpecVersion`:
```
```powershell
powershell Get-WmiObject -Namespace "root/cimv2/security/microsofttpm" -Class WIN32_tpm
```
3. Access [Advanced Startup Options](https://support.microsoft.com/en-us/windows/advanced-startup-options-including-safe-mode-b90e7808-80b5-a291-d4b8-1a1af602b617). You need to reboot while pressing the F8 key before Windows starts and go into the *command prompt* in **Troubleshoot****Advanced Options****Command Prompt**.
4. Login with your admin account and type this in the command prompt to start encryption:
```
```powershell
manage-bde -on c: -used
```
5. Close the command prompt and continue booting to regular Windows.
6. Open an admin command prompt and run the following commands:
```
```powershell
manage-bde c: -protectors -add -rp -tpm
manage-bde -protectors -enable c:
manage-bde -protectors -get c: > %UserProfile%\Desktop\BitLocker-Recovery-Key.txt
```
!!! tip
<div class="admonition tip" markdown>
<p class="admonition-title">Tip</p>
Backup `BitLocker-Recovery-Key.txt` on your Desktop to a separate storage device. Loss of this recovery code may result in loss of data.
</div>
</details>
### FileVault
!!! recommendation
<div class="admonition recommendation" markdown>
![FileVault logo](assets/img/encryption-software/filevault.png){ align=right }
@ -149,11 +168,15 @@ BitLocker is [only supported](https://support.microsoft.com/en-us/windows/turn-o
[:octicons-info-16:](https://support.apple.com/guide/mac-help/encrypt-mac-data-with-filevault-mh11785/mac){ .card-link title=Documentation}
</details>
</div>
We recommend storing a local recovery key in a secure place as opposed to using your iCloud account for recovery.
### Linux Unified Key Setup
!!! recommendation
<div class="admonition recommendation" markdown>
![LUKS logo](assets/img/encryption-software/luks.png){ align=right }
@ -163,35 +186,47 @@ We recommend storing a local recovery key in a secure place as opposed to using
[:octicons-info-16:](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home){ .card-link title=Documentation}
[:octicons-code-16:](https://gitlab.com/cryptsetup/cryptsetup/){ .card-link title="Source Code" }
??? example "Creating and opening encrypted containers"
</details>
```
</div>
<details class="example" markdown>
<summary>Creating and opening encrypted containers</summary>
```bash
dd if=/dev/urandom of=/path-to-file bs=1M count=1024 status=progress
sudo cryptsetup luksFormat /path-to-file
```
#### Opening encrypted containers
We recommend opening containers and volumes with `udisksctl` as this uses [Polkit](https://en.wikipedia.org/wiki/Polkit). Most file managers, such as those included with popular desktop environments, can unlock encrypted files. Tools like [udiskie](https://github.com/coldfix/udiskie) can run in the system tray and provide a helpful user interface.
```
```bash
udisksctl loop-setup -f /path-to-file
udisksctl unlock -b /dev/loop0
```
!!! note "Remember to back up volume headers"
</details>
<div class="admonition note" markdown>
<p class="admonition-title">Remember to back up volume headers</p>
We recommend you always [back up your LUKS headers](https://wiki.archlinux.org/title/Dm-crypt/Device_encryption#Backup_and_restore) in case of partial drive failure. This can be done with:
```
```bash
cryptsetup luksHeaderBackup /dev/device --header-backup-file /mnt/backup/file.img
```
</div>
## Command-line
Tools with command-line interfaces are useful for integrating [shell scripts](https://en.wikipedia.org/wiki/Shell_script).
### Kryptor
!!! recommendation
<div class="admonition recommendation" markdown>
![Kryptor logo](assets/img/encryption-software/kryptor.png){ align=right }
@ -203,15 +238,20 @@ Tools with command-line interfaces are useful for integrating [shell scripts](ht
[:octicons-code-16:](https://github.com/samuel-lucas6/Kryptor){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.kryptor.co.uk/#donate){ .card-link title=Contribute }
??? downloads
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-windows11: Windows](https://www.kryptor.co.uk)
- [:simple-apple: macOS](https://www.kryptor.co.uk)
- [:simple-linux: Linux](https://www.kryptor.co.uk)
</details>
</div>
### Tomb
!!! recommendation
<div class="admonition recommendation" markdown>
![Tomb logo](assets/img/encryption-software/tomb.png){ align=right }
@ -222,13 +262,18 @@ Tools with command-line interfaces are useful for integrating [shell scripts](ht
[:octicons-code-16:](https://github.com/dyne/Tomb){ .card-link title="Source Code" }
[:octicons-heart-16:](https://www.dyne.org/donate){ .card-link title=Contribute }
</details>
</div>
## OpenPGP
OpenPGP is sometimes needed for specific tasks such as digitally signing and encrypting email. PGP has many features and is [complex](https://latacora.micro.blog/2019/07/16/the-pgp-problem.html) as it has been around a long time. For tasks such as signing or encrypting files, we suggest the above options.
When encrypting with PGP, you have the option to configure different options in your `gpg.conf` file. We recommend staying with the standard options specified in the [GnuPG user FAQ](https://www.gnupg.org/faq/gnupg-faq.html#new_user_gpg_conf).
!!! tip "Use future defaults when generating a key"
<div class="admonition tip" markdown>
<p class="admonition-title">Use future defaults when generating a key</p>
When [generating keys](https://www.gnupg.org/gph/en/manual/c14.html) we suggest using the `future-default` command as this will instruct GnuPG use modern cryptography such as [Curve25519](https://en.wikipedia.org/wiki/Curve25519#History) and [Ed25519](https://ed25519.cr.yp.to/):
@ -236,9 +281,11 @@ When encrypting with PGP, you have the option to configure different options in
gpg --quick-gen-key alice@example.com future-default
```
</div>
### GNU Privacy Guard
!!! recommendation
<div class="admonition recommendation" markdown>
![GNU Privacy Guard logo](assets/img/encryption-software/gnupg.svg){ align=right }
@ -249,16 +296,21 @@ When encrypting with PGP, you have the option to configure different options in
[:octicons-info-16:](https://gnupg.org/documentation/index.html){ .card-link title=Documentation}
[:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git){ .card-link title="Source Code" }
??? downloads
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain)
- [:simple-windows11: Windows](https://gpg4win.org/download.html)
- [:simple-apple: macOS](https://gpgtools.org)
- [:simple-linux: Linux](https://gnupg.org/download/index.html#binary)
</details>
</div>
### GPG4win
!!! recommendation
<div class="admonition recommendation" markdown>
![GPG4win logo](assets/img/encryption-software/gpg4win.svg){ align=right }
@ -270,17 +322,25 @@ When encrypting with PGP, you have the option to configure different options in
[:octicons-code-16:](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gpg4win.git;a=summary){ .card-link title="Source Code" }
[:octicons-heart-16:](https://gpg4win.org/donate.html){ .card-link title=Contribute }
??? downloads
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-windows11: Windows](https://gpg4win.org/download.html)
</details>
</div>
### GPG Suite
!!! note
<div class="admonition note" markdown>
<p class="admonition-title">Note</p>
We suggest [Canary Mail](email-clients.md#canary-mail) for using PGP with email on iOS devices.
!!! recommendation
</div>
<div class="admonition recommendation" markdown>
![GPG Suite logo](assets/img/encryption-software/gpgsuite.png){ align=right }
@ -293,13 +353,18 @@ When encrypting with PGP, you have the option to configure different options in
[:octicons-info-16:](https://gpgtools.tenderapp.com/kb){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/GPGTools){ .card-link title="Source Code" }
??? downloads
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-apple: macOS](https://gpgtools.org)
</details>
</div>
### OpenKeychain
!!! recommendation
<div class="admonition recommendation" markdown>
![OpenKeychain logo](assets/img/encryption-software/openkeychain.svg){ align=right }
@ -310,18 +375,26 @@ When encrypting with PGP, you have the option to configure different options in
[:octicons-info-16:](https://www.openkeychain.org/faq/){ .card-link title=Documentation}
[:octicons-code-16:](https://github.com/open-keychain/open-keychain){ .card-link title="Source Code" }
??? downloads
<details class="downloads" markdown>
<summary>Downloads</summary>
- [:simple-googleplay: Google Play](https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain)
</details>
</div>
## Criteria
**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
!!! example "This section is new"
<div class="admonition example" markdown>
<p class="admonition-title">This section is new</p>
We are working on establishing defined criteria for every section of our site, and this may be subject to change. If you have any questions about our criteria, please [ask on our forum](https://discuss.privacyguides.net/latest) and don't assume we didn't consider something when making our recommendations if it is not listed here. There are many factors considered and discussed when we recommend a project, and documenting every single one is a work-in-progress.
</div>
### Minimum Qualifications
- Cross-platform encryption apps must be open source.