Encryption in FS/OSS

Global Encryption Day - Highlighting Some Free Software / Open Source Contributions

Published on: 24/10/2022
Last update: 03/11/2022

With Global Encryption Day taking place last week, now is a good time to highlight the role free software / open source has played in making encryption available and verifiable. Below is just a selection from many important projects.

GNU Privacy Guard (GnuPG) provides public-key encryption, among other things. Public-key encryption means each user has a public and a private "key". The public key, which can be shared, contains information on how to encrypt data. The private key, which is kept private, is able to decrypt anything that has been encrypted with the matching public key. This technique was made popular by a tool called PGP ("Pretty Good Privacy") in 1991. The GNU Project wanted to produce a free software / open source tool for this task but US export restrictions on cryptographic software meant that this software couldn't be developed in the USA and exported. So the GNU Project's work was done in Germany, with some parts initially funded by the German government.

HTTPS Everywhere is a web-browser extension that recognises websites which are available both encrypted (HTTPS) and non-encrypted (HTTP), and automatically moves the user to the encrypted version. This extension was first published 2014 and improved privacy for many years, but HTTPS is now standard and the extension is expected to be retired later in 2022.

Dm-crypt and LUKS, which allow for encrypting an entire disk. These tools, published in 2004 and 2005, allow users to implement data-at-rest encryption with decryption on-the-fly. This means data is automatically encrypted when written to the disk, and is only decrypted whenever it is being read (and this requires authentication). A user of the computer will not have to think about encrypting the data, but if a disk goes missing or is stolen, they have the assurance that all the data is encrypted. Also very useful for USB sticks and other portable data storage devices that sometimes go missing. Another project for related tasks is VeraCrypt.

Finally, a project worth mentioning is OpenSSL, and also the similar GnuTLS project. These projects are completely unknown to most users because they work behind the scenes, but they are the pieces of code that allow us to perform encryption over networks, such as the internet.

But encryption and free software / open source are not always in alignment. Many were surprised in 2019 when the World Wide Web Consortium (W3C) gave approval for Encrypted Media Extensions. With this, websites can make their content require specific software, which usually excludes free software / open source. Some packages, such as Mozilla Firefox, include some non-free, closed source software because it's the only way to make these extensions work.