This content is part of the Buyer's Guide: Full-disk encryption (FDE) tools: A buyer's guide
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

DiskCryptor: Full disk encryption product overview

Expert Karen Scarfone examines the features of DiskCryptor, an open source full disk encryption product for securing client-side computers and servers.

This is part of a series on the top full disk encryption products and tools in the market. For more, check out our FDE product roundup.

DiskCryptor is an open source full disk encryption (FDE) product that is designed to protect hard drives on a variety of Windows operating systems (OSes) for desktops, laptops and servers.

FDE involves encrypting the entire hard drive of a system so that before the system is booted -- including when the system is off -- an attacker cannot recover sensitive data from that hard drive. When the system is booted, the user authenticates, and the drive is then decrypted to allow the boot process to continue.

Product versions and platform support

The current version of DiskCryptor, 1.1.846.118, is supported by the following versions of Windows: Windows 8 and 8.1, Windows 7, Windows Vista, Windows XP, Windows Server 2012, Windows Server 2008 and Windows Server 2003.

In addition, Windows 2000 is supported by DiskCryptor version 0.9 and earlier.

Encryption and authentication support

DiskCryptor supports several encryption algorithms, including Advanced Encryption Standard (AES) with 256-bit keys. AES 256 is generally recommended because of its strength, but administrators do have the ability to use other encryption algorithms if desired.

DiskCryptor's cryptographic implementations are not Federal Information Processing Standard (FIPS) 140-2-certified. This does not mean that the implementations are flawed, but rather that the software has not gone through formal independent testing to verify that it avoids common vulnerabilities in its cryptographic modules. This is common with open source software because of the financial resources needed to gain the FIPS 140-2 certification.

The DiskCryptor documentation only discusses passwords as an authentication mechanism. Support for Multifactor authentication, and forms of authentication other than passwords, is not provided.

DiskCryptor does not provide any sort of key recovery option either; the ability to decrypt the hard drive is solely dependent on the user remembering the DiskCryptor password.

Hardware and multiboot support

What distinguishes DiskCryptor from other FDE products is its support for complex hardware configurations. DiskCryptor can support redundant array of independent disk (RAID), which uses multiple hard drives within a system to provide redundancy, add hard drive space and otherwise improve storage performance.

DiskCryptor also provides a wide range of configurable options related to boot loading. For example, a multiboot system -- a system with multiple OS instances installed -- can be configured to boot a particular OS partition or to allow the user to choose which partition is booted.

More complex security decisions can be made as well, such as booting an unencrypted "honeypot" OS instance if authentication is unsuccessful.

Management and licensing

DiskCryptor is intended for local management only. There are no known third-party centralized management tools to enhance DiskCryptor's capabilities.

DiskCryptor is made available under a free GPL license.

DiskCryptor best for small enterprises

DiskCryptor is best suited for individuals and users of one-off Windows systems within small enterprises where users are fully responsible for the security of their own systems.

It offers support for legacy Windows platforms that commercial products and the Microsoft BitLocker function do not provide. It also offers support for complex hard drive arrangements and multiboot configurations that other FDE solutions simply do not provide.

DiskCryptor lacks the centralized management capabilities needed for most enterprise deployments, but for individual Windows systems that can be managed locally, it is a viable FDE product.

Next Steps

Get more reviews of other full disk encryption products featured in this series: McAfee Complete Data Protection, Symantec Endpoint Encryption, Sophos SafeGuard, Microsoft BitLocker, Dell Data Protection | Encryption, Check Point Full Disk Encryption and Apple FileVault 2.

This was last published in April 2015

Dig Deeper on Disk and file encryption tools