What do you use for encrypting your personal stuff?

VeraCrypt.

The VeraCrypt FAQ addresses your concern: https://www.veracrypt.fr/en/FAQ.html

Direct link to audit: https://blog.quarkslab.com/security-assessment-of-veracrypt-...

I'm not convinced that whole-disk encryption is sensible for most threat models, but I use the built-in FileVault on macOS (under the reasoning that, at the very least, it can't really hurt).

On Linux, I use age[1] (specifically, rage[2]) to encrypt sensitive files. I wrote a secret manager that uses the latter as an encryption backend[3], and I use `rage-mount` to mount (read-only) views of encrypted archives.

[1]: https://github.com/FiloSottile/age

[2]: https://github.com/str4d/rage

[3]: https://github.com/woodruffw/kbs2

LUKS is the de facto disk encryption in Linux. For file system encryption, use fscrypt and ZFS native encryption. For backups, use restic or Borg. For encrypted synchronization, use cryptomator, gocryptfs or rclone. File encryption is rarely needed anymore, but GPG works fine for that.

Depends what you want to encrypt.

I gave up. Old PCs used to die and I could just take the disk and put into a new box and copy what I could. I encrypted a disk and ended up losing everything on there (except photos which were backed up). I realized I really dont have anyhthing worth stealing. I keep tax returns on a usb stick, with a paper copy backed up.

Encrypted sparse bundle disk images on macOS if I want something individually encrypted. Built-in full disk encryption too. No extra software needed.

On Linux, there's LUKS as mentioned already.

VeraCrypt and Bitlocker have already been mentioned, so in case they don't cover your use case, take a look at Cryptomator.

You can have an encrypted folder, put it on Google Drive and then decrypt it from any of your devices. Even iOS will support it natively once you do the setup with the Cryptomator app.

I'm working on this at the moment. Currently I'm using Bitlocker on a virtual disk. I'm going to test using Keypass to unlock it soon (which in turn unlocks at the beginning of the session with a long passphrase, but unlocks after that with Windows Hello face recognition). I've identified some potentially sensitive data could be in session logs or screenshots, so I've set up the default location for my logging and screenshot apps to be in the Bitlocker virtual disk. In the case of logs, I was already syncing them between machines using Syncthing, so I'm now syncing between encrypted volumes. I'm not syncing the screenshots, but I am also implementing encyrpted backups, so I'll probably include the screenshots folders.

Meanwhile, I've realised that my scanned receipts should also be encrypted, so I'll probably use a similar sync-between-encrypted-virtual-disks process with them. Unfortunately my first virtual disk is too small and I haven't yet checked how easy it will be to expand.

I'm mostly Windows, so I only really have to solve for that. Fortunately, Keepass is cross-platform (even works on my Pine Phone, along with Syncthing - same for my Android tablet, but my iPhone is trickier), so if I want to expand this to my Linux or Mac laptops it's not hard.

I was trying to solve saving authenticator seeds (which is something I regred not doing up to this point) securely outside of my main password manager. That was using an obscure archiver with a password protection option. This turned out to be way to clumsy to be practical. For small stuff like that, It's going in the password manager database for now.

Always the first question is: what's your threat model?

For personal stuff, I can't do much about sophisticated attackers, pretty much only about random physical thieves who mostly just want the hardware.

Most likely scenario involving encryption: a laptop is lost/stolen, and some random thief/fence/buyer snoops around the drive to see if there's anything worth stealing. There isn't, but I'd feel violated to have some thief sifting through my personal stuff.

So, on laptops, I just use Linux LUKS.

On my custom Coreboot laptops, I have even the boot partition encrypted for LUKS, which seemed like a good idea at the time (I was peeved about Intel ME, and on a roll), but it's overkill for the random laptop thief threat. It also means I can't just move the drive to a system that doesn't have Coreboot with that feature set up.

Also, in general, try not to deny yourself access to your own data when you need it, in the process of denying it to others.

Cryptomator for cloud-based storage, as it allows my to encrypt each files inside the vilolume separately, which makes it much more bandwidth friendly to desktop synchronization software.

TrueCrypt still works and doesn't have any known vulnerabilities afaik. For low-risk files I also sometimes use WinRAR, which according to the docs should have ok encryption (AES-256). Curious for other suggestions too.

LUKS on linux works great. Restic can encrypt your backups before they go into whatever cloud will store it the cheapest.

Built-in macOS FileVault, then for individual files use scrypt[1] by the amazing cpercival.

[1] https://www.tarsnap.com/scrypt.html

It sounds like you're running Windows?

On Windows I just use the built-in Bitlocker encryption.

It is a bit annoying understanding what this means between Windows Home and Pro editions though.

On Home, it's not technically 'Bitlocker' - it's Device Encryption - hit Windows key & type 'device encryption' - if you see 'Device Encryption Settings', you should have it available. If you do not, it's probably not available on your device e.g. maybe you don't have a TPM, although I've had Windows machines that showed it as not available but then I was able to get it running with a bit of messing around and registry hacking.

It is still Bitlocker under the hood, but it's missing some features. You can get some of them by logging into your machine with a Microsoft account, but if you're running a local account (like I am) you get a more budget experience (e.g. I don't think there's an easy way to get the Bitlocker encryption key or have it backed up online).

If you only want to run local accounts, the easier and probably safer solution is to shell out for Windows Pro and take advantage of the full Bitlocker experience.

For small one-off encryption use cases (i.e. encrypt a single file) I use age: https://github.com/filosottile/age

Especially convenient when you need to transmit the file over some untrusted medium like email, or if you just want to dump it in some cloud storage service and not worry about potential snooping.

I wasn’t satisfied with the options available, so I wrote my own: https://github.com/netheril96/securefs. It has authenticated encryption, highest quality of password stretching, and works on both Unix-like and Windows.

Bit rot. If my backups aren’t redundant and I don’t care to access something for long enough, it eventually becomes inaccessible to others.

Full-disk encryption from your OS vendor (FileVault, LUKS, whatever windows does) will accelerate this process.

For encrypting files, I use AEScrypt[1]. Cross platform, simple to use, and easy to audit.

[1]: https://www.aescrypt.com/

I use what ever full disk encryption software comes with the os. That might not be enough to prevent law enforcement but my main concern is some one stealing my laptop or needing to send it for repairs which both seem much more likely than law enforcement taking my stuff.

I use keepassxc to keep all my sensitive information and syncthing to keep it synchronised between all my devices. Having it across all my devices is super handy and provides redundancy.

Built-in full-disk-encryption for MacOS and Windows. Most of my linux servers would be a pain to have to unlock every time they boot, but I do use LUKS on ones with sensitive data.

On my home nas, I'm still using GELI-encrypted zfs/zpools. I need to migrate it to a new zfs native encryption.

All of my backups get encrypted by restic before being uploaded.

For one-off files or things I want to share encrypted with someone, I'd use gpg.

I use Bitlocker on my laptop but haven't really looked into encrypting things on my desktops in a long time (I used BestCrypt back in college when I was living in a dorm and had my PC in a shared space).

What is the attack surface you're trying to hedge against? Are you afraid of someone gaining physical access to the device and ripping out the hard drive?

On Linux: LUKS. On FreeBSD: GELI. On Mac: FileVault. On windows I guess I would use bitlocker though I rarely need it there.

So basically I use the default encryption. When I need to move stuff from one computer to another I encrypt the files individually with GPG (using openPGP keys on smartcard or yubikey)

Seafile's library encryption on a VPS. Borg backup of local photos encrypted to said VPS.

Generally zfs native encryption these days (as well as native encryption in macos and windows).

I would trim down what you need encrypted and store it in a password manager (some even handle attachments).

For individual files I would just use WinZip AES encryption which is very portable and atomic (so bit rot only impacts that single file no the fs).

I use dmcrypt with luks since ~2011. This was not common when I was starting to use this, but being part of Arch Linux community helps a lot. Especially back in the time everyone was eager to share opinions and how-to hints...

TrueCrypt died a developer burn-out death a long, long time ago.

FreeBSD, Linux, macOS, Windows: VeraCrypt -> (whatever)

FreeBSD: geli

Linux: XFS -> LVM2 -> LUKSv2 (dm-crypt +? dm-integrity) -> dm-raid (RAID 10) -> (lots of spinning rust)

macOS: FileVault 2

Windows: BitLocker

I like Gocryptfs. Easy to see and reason about that it is working.

I use a custom implementation of rot13 I implemented in Rust

zipcrypto...jk

I would always be hesitant to disclose what type of crypto you are using, unless I guess you have nothing important. I think veracrypt, 7zip, openssl are good. Probably anything that has been recently audited. Just make sure you are offline when decrypting or encrypting or else it may defeat the purpose.

rvault for small documents: https://github.com/rmind/rvault

It uses envelope encryption with one-time password (OTP) authentication. I like to store data on the systems I own and just run backups regularly.

I don't use full disk encryption, but for individual files I use sops backed by gpg.

All the default options. BitLocker on Windows, FileVault 2 on macOS and LUKS on Linux.

LUKS for my main drive. VeraCrypt for everything else.