Wanted: Cryptography Products for Worldwide Survey

In 1999, Lance Hoffman, David Balenson, and others published a survey of non-US cryptographic products. The point of the survey was to illustrate that there was a robust international market in these products, and that US-only export restrictions on strong encryption did nothing to prevent its adoption and everything to disadvantage US corporations. This was an important contribution during the First Crypto War, and Hoffman testified before a Senate committee on his findings.

I want to redo that survey for 2015.

Here, at the beginning of the Second Crypto War, we again need to understand which encryption products are outside the reach of US regulation (or UK regulation). Are there so many foreign crypto products that any regulation by only one country will be easily circumvented? Or has the industry consolidated around only a few products made by only a few countries, so that effective regulation of strong encryption is possible? What are the possibilities for encrypted communication and data storage? I honestly don’t know the answer—and I think it’s important to find out.

To that end, I am asking for help. Please respond in the comments with the names—and URLs—of non-US encryption software and hardware products. I am only interested in those useful for protecting communications and data storage. I don’t care about encrypting financial transactions, or anything of that sort.

Thank you for your help. And please forward this blog post to anyone else who might help.

EDITED TO ADD: Thinking about it more, I want to compile a list of domestic (U.S.) encryption products as well. Since right now the FBI seems intent on just pressuring the big companies like Apple and Microsoft, and not regulating cryptography in general, knowing what else is out there in the U.S. will be useful.

Posted on September 11, 2015 at 2:08 PM253 Comments


Zoot September 11, 2015 2:42 PM

It’s not always totally clear what non-US means.


AFAIK, Linus works in the US nowadays, but I’m not sure that makes LUKS a US tech.

Stephen Smoogen September 11, 2015 3:07 PM

Hello Mr Schneier, I believe an updated survey is needed but I think that a lot of the worlds inter-connectedness has made it so that it needs to be more nuanced to answer the questions you posit in the second part.

First, what does it mean to be by a cryptography product? If the products are built around the world, but they all use an implementation of AES is that consolidation or seperation?

Second, nearly every country has some sort of regulation on cryptography somewhere on its books. So it isn’t just US, UK but France, Germany, Russia, China, Australia, Italy, etc etc etc. You can put down XYZ is written in the EU but that completely doesn’t cover the various controls which may be in place on it. Then there are the bilateral trade agreements and such which may have the effect of law without being called a law. [This is usually how a country can tell its citizens “We do not have a law against XYZ” but still crack down using “We have a bilateral agreement with the US.”]

I don’t mean this to come across as nitpicking.. it is more that I am thinking that the questions you are wanting to answer in paragraph two need more details than just the name of products. [What does the product use for encryption, where is its implementation coming from, etc etc.]

John Steinman September 11, 2015 3:13 PM

I can recommend BestCrypt from Jetico, a Finnish company. Even tough you called Jetico an “obscure” company they are around since 1995. They publish the source code on their website. You can choose between a varieties of algorithms. They do not have a backdoor. I use BestCrypt since Win XP (when I had to stop using E4M). Their customer support is very helpful and they try to find solutions even if you have a particular problem. The container encryption is extremely reliable: even if your machine crashes, the container still is o.k. I got containers on my memory stick. And the best is: All new releases are fully backwards compatible.


A word of warning: Western German encryption software must incorporate a backdoor. That’s the law. In the early 90s, a Western Berlin company stopped selling their encryption product for that reason. The same probably also goes for France and the U.K., even tough I am not sure.

John Steinman September 11, 2015 3:22 PM

“a robust international market”: A funny survey.

Brokat Infosystems AG, GERMANY ==> declared insolvency
Data Fellows Ltd., FINLAND ==> is now F-Secure (Anti virus software)
Seguridata Privada S.A. de C.V., MEXICO ==> I do not speak mexican
Sophos Plc., UK ==> British…
Utimaco Safeware AG, GERMANY ==> has been hacked in the past!!!

John Steinman September 11, 2015 3:25 PM

@Raymond Johansen: Protonmail.ch. That company does not comply with the country’s data retention law, hence in my opinion it operates outside the legal system. Anyway, it is an e-mail service only.

renke September 11, 2015 3:30 PM

@John Steinman

“A word of warning: Western German encryption software must incorporate a backdoor. That’s the law.”

a) Can you point us to the law in question? I never heard of such a thing.
b) You’re aware “Western” Germany is not a useful designation anymore?

Ocmer September 11, 2015 3:34 PM

There is a company called cryptas in Vienna, Austria that does solution development but also has an online shop. Amongst the products they sell is a selection of cryptographic smart cards, including the OpenPGP card, made in Germany.

@John Steinman: do you have a reference to that supposed German law? It seems at odds with the idea of SuSE, a fairly significant Linux vendor operating out of Nuremberg, supplying crypto software like OpenSSH/SSL and LUKS. Last time I looked these did not appear to contain a government-blessed backdoor.

John Steinman September 11, 2015 3:35 PM

@Daniel, @renke: Sorry, am not Western German citizen. Best thing probably is to discuss that with a lawyer from that country. Sorry.

Alien Jerky September 11, 2015 3:48 PM

I am working on, for the past year and half, my own idea of crypto. Test, Modify, Test, Modify,…. I am located in the Unified Secrets of All(USA in-case you did not catch that).

Given the rules of http://www.bis.doc.gov/index.php/policy-guidance/encryption

I wonder… As I have not disclosed what or how I am doing in my crypto process to anyone; If I were to contact a company outside the US, and make a business relationship with them, where they market my product for me. Does it still fall under the rules of BIS?

Winter September 11, 2015 3:51 PM

“Let’s not forget Truecrypt….it still works….location, unknown.”

Better still, the code of Truecrypt is out and is (being) audited. There are already documented FLOSS forks around.

Even if the rumors are true and Truecrypt can be broken, new variants are easily made and require time consuming reanalysis.

Bruce Schneier September 11, 2015 3:57 PM

“Hello Mr Schneier, I believe an updated survey is needed but I think that a lot of the worlds inter-connectedness has made it so that it needs to be more nuanced to answer the questions you posit in the second part.”

I think you’re right.

At this point, I don’t know what information the survey is going to capture. Right now I want to get started on listing the products. It’ll be suggestions like yours the help shape what the survey will cover.

So thank you.

Jacob September 11, 2015 4:10 PM


Please keep in mind that it is not enough to designate the geolocation of the program – if any of the developers is a US person, then he/she is subject to US jurisdiction.

John Steinman September 11, 2015 4:15 PM

Dear Mr Schneier: I do think indeed that there is a consolidation process going on in the encryption business. A lot of companies went out of business, encryption software from the Five Eyes and the EU should be avoided. There are also a lot of new companies where you do not know how long they will stay in business. After all, you want your encryption software to work for some 10 / 20 years. Compiling a new list will be quite tricky. I would, however, be quite interested whether there are encryption companies located in Singapore or in Taiwan (Republic of China).

Jacob September 11, 2015 4:19 PM

Another point to keep in mind:

Any reasonable programmer in the world can produce a simple text-encrypting program using any of the available GPL encryption code in a couple of days (e.g. https://www.schneier.com/blowfish-download.html)

We don’t hear much about those, since there is no incentive to produce. However, if the FBI puts its foot in the door, now there is an incentive…

Gerhard September 11, 2015 4:20 PM

@John Steinman: there is no such law in Germany. I’m working for https://www.genua.de/en.html and we sell many of our products to government agencies. Do you think they’d be happy using products with a backdoor installed? They even require third party certification for our software.

Maybe you meant lawful interception? But that doesn’t apply to Germany solely and has nothing to do with encryption.

John Steinman September 11, 2015 4:21 PM

@Winter: I totally agree. The TC forks are not that useful, since – in theory – they also should be audited. And let us not forget how long it took “them” to complete the TC audit. You made an excellent and often overlooked point.

Jonathan Wilson September 11, 2015 4:28 PM

The biggest change has been the rise of open source software.
Its much harder to install backdoors in open source software and there can be so many versions maintained by so many people that its impossible to get them all.

Plus if someone does get a backdoor into a piece of open source software, someone else (in a country less hostile to encryption most likely) will just fork it and remove the backdoor.

Ben September 11, 2015 4:50 PM

Arq has worked well for me as a zero-knowledge backup tool – I’ve been using it since Steve Gibson recommended it a couple years ago on his podcast. It’s US-based but they publish their data format which (albeit to my amateur eye) looks legit, plus an open source recovery client – https://www.arqbackup.com and https://www.arqbackup.com/s3_data_format.txt

Perhaps BoxCryptor is also worth a look. I’ve been using it for a while although there was something about the newer version that just didn’t smell right to me… it required contact with the server more often than I was comfortable with. German-based. https://www.boxcryptor.com/en

Last, I’ve been interested in Syncany. It’s an alpha, and I can’t find much about the way they secure data, so I don’t trust it yet. Still, maybe it’s interesting. Not sure about location.

Hope this helps!

John Steinman September 11, 2015 5:27 PM

Avoid software from Switzerland, above all the alternative TOR project (Hornet) developed by the ETH Zurich (Polytech). The ETH hosts the Forensic Institute of the Zurich County Police (KaPo) which in turn illegaly procured the Hacking Team software.

John Steinman September 11, 2015 5:30 PM

@Gerhard: I definitely talk about the backdoor. Perhaps you can discuss that with the gents from Pullnach?

Jacob September 11, 2015 6:03 PM

@ John Steinman

Re Jetico’s “They publish the source code on their website. You can choose between a varieties of algorithms. They do not have a backdoor”:

They publish the source code only for the encryption module – not for the whole software. It is helpful to check against programming errors in that module, but useless from trust-the-software POV.

And you state that they don’t have a backdoor. How do you know? unless you analyzed and reviewed the whole source code (which you can’t do unless you work at Jetico), and had a proof that the distributed binaries were compiled from the reviewed source, you can’t make a claim that there is no backdoor.

Re mandatory backdoor in German software: gnuPG is German. Being a reviewed open source project, and used by well known cryptographers for their own messaging, I doubt that it has a backdoor.

Spaceman Spiff September 11, 2015 6:04 PM

If the US were to force encryption backdoors on US products, the first thing that would happen is that these companies would move overseas to countries not so idiotic, along with all of their software and hardware development, and that includes the millions of high paying US tech jobs that go with that. Yeah. Let’s just nuke the Silicon Valley, LA, SF, Seattle, Chicago, Boston, … and be done with it!

Anon September 11, 2015 6:06 PM

Post-quantum public key cryptography tool just like GPG, fully developed and ready for real world use. I’ve been using it for months now.

I’m not affiliated, just love this thing and wish more people used it.


It uses only quantum-computer-resistant algorithms:
– McEliece cryptosystem (compact quasi-dyadic variant) for encryption
– Hash-based Merkle tree algorithm (FMTSeq variant) for digital signatures

Sancho_P September 11, 2015 6:20 PM

Also my question(s):
– To name applications or encryption principles?
– proprietary and / or open source?
– All OS?
– Work in progress?

Encrypted (file) backup:

(I use) Duplicati (Denmark?) http://www.duplicati.com

There are more, e.g: https://en.wikipedia.org/wiki/Comparison_of_backup_software

To start the messaging section:

Interesting project:
Tinfoil Chat (TFC) using OTP, from Markus Otella, Finland

Top collection:

rgaff September 11, 2015 6:25 PM

OMG the world is hemorrhaging crypto everywhere… it’s like counting the sand of the sea or the stars of the heavens…. seriously. Limiting crypto with dumb laws is like mandating that the sun stay up/down a certain number of hours in a day, it just doesn’t work that way, though you’re welcome to try such a foolish errand…

rgaff September 11, 2015 6:49 PM

All web browsers and web servers contain crypto… while there may be under half a dozen really popular ones, there are many many dozens of them total… maybe even hundreds..

Likewise there may be half a dozen uber popular crypto libraries, but there are nearly uncountable re-implementations in so many languages (some are recompilations of others, some are not)… heck I’ve even done that myself, taking a Java one and converting it to run under JavaScript (which is a completely separate language despite the unfortunate naming)…

Thoth September 11, 2015 6:54 PM

Crypto AG is a military and Govt supplier of crypto hardware. I don’t think civilians can simply walk in to buy the products unless you proof you are a Govt agency representative with directives from your Govt to purchase the Crypto AG products.

@Bruce Schneier
You mentioned you don’t want financial encryption stuff but the fact is the dual use nature of so many crypto products. One day a developer develops a crypto program for privacy and security and next day the big banks uses it for their internal security.

I have worked with big banks as part of my assignment and I can assure you that the big banks do use at least a few open source crypto products. Just to name one that corporates (cannot name my customers specifically) are using includes Truecrypt 7.1a and earlier. Open Source crypto programs like OpenSSL, OpenSSH, Bouncy Castle crypto library and many more.

We know that SSH Corp (founder of SSH protocol) sells his version of SSH called Tectia used by my financial and even individuals.

Next, we can do PGP via smartcard in the OpenPGP card form. In fact, many of the Yubikeys have support to load the JavaCard version of the OpenPGP card applet into the Yubikeys.

In general smartcards are frequently found in banking and secure entry scenario but they can be loaded to be of any nature from secure code execution to crypto. These smartcards are cheaply available.


Arthur September 11, 2015 7:05 PM

I don’t think civilians can simply walk in to buy the products …

Yes you can.
Private company (banks) use their products.
No problem Mr Thoth.

TascoBlossom September 11, 2015 7:12 PM

ANYTHING claimed to be quantum-safe or quantum-resistant I would not touch with a ten-foot pole.

Yiu September 11, 2015 7:12 PM

@John Steinman

Your argument for avoiding Hornet is that the same Institute hosts a group that works with a police agency that procured Hacking Team software?

That’s a pretty weak guilt-by-sorta-kinda-association claim. Certainly not enough to merit on its own the rejection of Hornet.

Otp September 11, 2015 7:30 PM

One time pad based on random numbers generated by human coin flips. Stop depending on numbers continuing to be difficult to factor.

Thoth September 11, 2015 8:22 PM


Go to know it’s less restrictive than I thought. Are the customers given a fixed range of products they can buy (e.g. restrict sales of HC-2605, HC, 2650, SECOS, HC-2203, HC-7550… to non-military groups) ?

Bruce Schneier September 11, 2015 8:48 PM

“Please keep in mind that it is not enough to designate the geolocation of the program – if any of the developers is a US person, then he/she is subject to US jurisdiction.”

Yes, but I’m not sure the company is. And I’m certain that the US cannot demand that a — for example — Swiss company redesign their encryption system to allow for third-party access just because they’ve hired a single American programmer.

Bruce Schneier September 11, 2015 8:50 PM

“I would, however, be quite interested whether there are encryption companies located in Singapore or in Taiwan (Republic of China).”


I am honestly curious what will come out of this survey.

rgaff September 11, 2015 10:05 PM


The way git works, every developer worldwide has a full local backup of the complete code repository…

rgaff September 11, 2015 10:09 PM


And if such a law were enacted, due to the open source nature of github, I’m sure it would move overseas in a heartbeat if needed… along with lots of other things…

If the USA really wants to make all its best talent leave the country overnight… it really can do so…

i58fj390t7y2jt September 11, 2015 11:05 PM

Made by AgileBits, a Canadian company:
1Password (password manager)
Knox (disk encryption)

Made by Apple, a US company:
FileVault (disk encryption)
iMessage (instant messenger)
FaceTime (video chat)
Keychain (password manager)

Free/open source software developed by many international people, which may be hard to attribute to any one country and therefore hard to regulate:
TAILS (live OS)
KeePassX (password manager)

Made by Microsoft, a US company:
BitLocker (disk encryption)

Made by Open Whisper Systems, a US company:
Signal (encrypted phone/instant messenger)

Made by the Tor Project, a US organization:
Tor (tor proxy)
Tor Browser (web browser)

EndCryptor September 11, 2015 11:10 PM



An end-to-end email encryption program that protects old emails if current encryption keys are revealed (this is Perfect Forward Security). Also recovers from this by always including new receiver specific short term public keys in encrypted emails. A Finnish product.

Alien Jerky September 11, 2015 11:42 PM

The list so far in alphabetical order


Thoth September 11, 2015 11:54 PM

@John Steinman
There are crypto-security companies everywhere. One good example is the HSM and smartcard market.

Yes, Singapore does have companies with crypto software and hardware. Most hardware are either System Integrators or resellers. ASEAN, China, Hong Kong, Taiwan, Japan, S.Korea and even Mongolia have presence of Defence and Security firms and they do sell HSMs like Utimaco, Thales, Safenet and more…

Alexander Korff September 12, 2015 12:29 AM

Telegram- encrypted message service – Russian person managed not sure where located

Tutanova – encrypted email provider (Germany I think)

SpiderOak – zero knowledge but U.S. Based

Nick P September 12, 2015 12:54 AM

@ Bruce Schneier

I think, as lay people might read it, the simplest route is to show or categorize by the following information: company; product/software/hardware; what product does w/ any applicable crypto/anonymity details; country; open-source.

A company or FOSS group might have many offerings plus someone might be more concerned with how many companies are pushing crypto in general or a specific type. The product details will let the report site the wide range of functionality that is protected. These should minimally include email, instant messaging, individual files, disks, transport-layer security, streaming audio/video, radio/wireless, web sites/apps, stego for any of these, and anonymity for any of these. Legitimate and criminal users could leverage any of these to protect their activities.

Country is next part and deserves its own paragraph. The country surely tells us whose jurisdiction the product is in if the organization is founded there with controlling members and assets there. However, it also tells likely influence by various countries through their overt (eg this) and covert partnerships. The crypto laws of the individual country should also be considered. Someone might make all of this a supplement linked to the country names. The last important point here is that some government are stronger and more independent of U.S. influence than others. People can factor that in.

Finally, whether proprietary or open-source is important. Proprietary might assumed to be subverted to some degree. The lawmakers might even expect this for certain products in their jurisdiction. So, the existence of open-source tools in various countries becomes important for same reason as during PGP’s time period: easy copying by anyone, anywhere. The source might be proprietary or FOSS. Doesn’t matter as criminals would steal a good one either way. Even better if it’s open source and a defence contractor of a country leverages it in stuff they use. Makes it harder to kill off. I believe this is something that helps the Tor project.

So, these factors are the most important for an analysis similar to what was done before. They allow you to go from a very high-level (“2,000+ products in 80 nations!”) to making very specific points (“many open-source products appearing in hard-to-influence countries”) that help in various aspects of the debate. In each case, you’ll be able to pull up relevant information about the product, what it accomplishes, where it is, what effect that has, and whether it’s easy to copy/clone due to open-source.

Chris September 12, 2015 1:12 AM

To whoever wrote in Crypto AG, that is funny.

LibreSSL and OpenSSH were already pointed out. These are OpenBSD projects.

OpenBSD infrastructure is much the same, where all crypto development has been performed outside of the United States as to not encumber users who may also be subject to US jurisdiction, directly or even by treaty.

While most other open source BSD and Linux projects compromise on this point, OpenBSD’s choice stands the test of time. Once again people are wondering about alternatives to US born crypto (subject to current and future aggressive government regulation). The US sets a bad example for the world by systematically subverting civilian cryptography.

This also means that a widely used, freely available cryptography implementation that is from a US company, group or individual has to be avoided. It limits the coding task to those outside of the US jurisdiction.

Arne Babenhauserheide September 12, 2015 2:54 AM

Freenet is still progressing nicely, and it’s developed by a team from several countries (less than a third of the devs are from the US).

It provides mostly invisible email with perfect forward security, anonymous forums, microblogging and publishing without a server (see social Freenet) and recently received the SUMA award for protectin against total surveillance. With an inproxy like the one used to link to the social Freenet site, you get all the benefits of decentralized hosting.

Cassandra September 12, 2015 5:08 AM

Most of the entries being suggested are software, but I would suugest that Bruce also needs examples of encryption hardware developed outside the USA/5-eyes jurisdictions (or possibly even the 14-eyes + Singapore, Japan and South Korea [ https://en.wikipedia.org/wiki/Five_Eyes#Future_enlargement ].

As it is, we know that some hard-disk firmware is compromised. Mobile phone modem chips are compromised. The ‘Trusted Computing Platform’ and Intel’s built-in remote hardware management capabilities (which work ‘under the radar’ of any OS’) mean that many common computing platforms are compromised.

There are small groups aiming at building verified hardware from the ground up, but they don’t have a lot of resources.

Note that Chinese, Indian, or Russian orginated hardware is likely to have had the attention of the relevant country’s security services. If you are aiming at finding uncompromised hardware, I think you will have a long search.

Arthur September 12, 2015 6:25 AM

@ Thoth

According to the laws of the foreign country. (if the buyer is not in Switzerland).
Crypto AG is not a government company.


Knowing that Switzerland is not United States, people importing Crypto AG products in United States for example has to be conform to their Orwellian , old soviet style laws, That’s for sure. (same for North Korea)

This is why you see products like protonmail (open source) with US employees working on it in Switzerland, (most of their clients are US person who learn a lot from E.Snowden and the practices of their own country).


TJ Williams September 12, 2015 7:56 AM

@cassandra: agree, HW crypto vendors should be listed, some of them having many products

Italy: Selex, Telsy
Germany: Rode & Schwartz, Secunet, Atmedia, Nitrokey, Gieseke & Devrient
Netherlands: Fox-IT, Philips
Norway: Thales, Konsberg
Sweden: Ericsson (TBC)
UK: Airbus, Ultra, iStorage, Integral, ViaSat (may be US based), BeCrypt, CellCrypt, Sepura
France: Thales, Atos/Bull, Gemalto, Oberthur, Ercom, CSSI
Spain: SecomData, RealSec

Also: Cypherix (looks US but not too sure)

Not comprehensive anyway.

deLaBoetie September 12, 2015 9:15 AM

https://yubico.com – as mentioned above does certificate keys for pgp in the neo variants, and also an HSM. But it also does, in low-cost hardware usb fobs (no battery), various OTP and an HMAC/SHA1 responder. As well, it has an implementation of Fido U2F. Yubico is Swedish, but also influenced by US offices/market.

Clearly, the Fido U2F is a global standards body publishing specifications and some sample implementations (including some provided by Google).

Password Safe – is that OK Bruce?!

LassPass (US) https://lastpass.com

One aspect of the survey that is interesting is the scale of products/solutions that rely on published crypto pseudo-code that could easily be written by a competent programmer anywhere with no official company or product backing, with reference implementations also available. Yes, I know the devil is in the detail, and it would need to be audited and battle hardened, but then it is going to be better than anything backdoored. So, for example AESCrypt mentioned above uses an open header format and has reference source code available.

There are also a range of high quality crypto libraries available (e.g. Bouncy Castle mentioned above), which can potentially be cascaded with others and used as a base by competent programmers without having to (dangerously) reinvent the library. That’s what I’d do as a modestly competent programmer if faced with silly behaviour from governments attempting to ban encryption – the horse has bolted even further than it did in the first crypto wars if only because there are a wider range of high quality crypto libraries for KDF, AES, and certificate generation/asymmetric algorithms.

I don’t know if RNG/HSM is included in what you are considering, there we have various forms of DIY implementations, e.g.

based on the Broadcom RNG in the Raspberry Pi, or

which uses an Arduino (which has hardware open source options).

Alex Khokhlov September 12, 2015 9:59 AM

Seems like nobody has yet mentioned any Russian software. And since Russia has its own incompatible security standards (usually named GOST outside of Russia) from Europe and U.S. , we do have a couple of our own companies developing the whole range of crypto software and hardware for those standards: hashing, key generation and exchange, encryption, signing and so on.

The ones that are most widely used and can be of interest here are:
http://www.aladdin-rd.ru – software and hardware for the whole range of end-user security tasks
https://www.cryptopro.ru – crypto provider for GOST

There is also a list of all FSB-certified software and hardware for Russian government use here: http://clsz.fsb.ru/certification.htm

Petter September 12, 2015 10:25 AM

Swedish Tutus

Formally evaluated and certified according to Common Criteria for IT Security Evaluation (ISO/IEC15408:1999) with assurance package EAL3
Swedish national crypto verification
Approved for protecting HEMLIG/Restricted and EU Restricted/Restreint UE (specific version) in Sweden Second party evaluation within EU (ongoing) Approved for sensitive but unclassified information (KSU -Krypto för skyddsvärda uppgifter)

Fubar September 12, 2015 10:27 AM

Not sure where this falls, but it’s fairly trivial to create an encrypted filesystem as a file (mounted via loopback) under Linux. I’ve used blowfish to do this myself. It’s all baked into the kernel. Said encrypted filesystem-in-a-file files can then be sent around, and mounted on any Linux computer with the password.

Clive Robinson September 12, 2015 11:18 AM

@ Fubar,

Not sure where this falls, but it’s fairly trivial to create an encrypted filesystem as a file (mounted via loopback) under Linux. I’ve used blowfish to do this myself. It’s all baked into the kernel.

Limited as it is I guess it falls into the appropriate part of “the linux kernel”.

What you have brought up indirectly is the thorny issue of what constitutes “the crypto” and what is in fact “a framework” that uses it. Which is similar to “an application” without native crypto code that uses “a crypto library”.

Some years ago I wrote an interpreter front end very losely based on a reduced BASIC for a crypto library. This was for a client and thr idea was you used it as a “workbench” to make your own crypto filters for use in *nix style pipes using various algorithms and modes. I stated rehacking it to use Tcl but lost interest. I don’t know if there are similar tools out there but many crypto programes can provide a limited subset of this sort of functionality.

Clive Robinson September 12, 2015 11:23 AM

@ TJ Williams,

You mentioned “Thales” in Norway and France but forgot to mention that Thales does crypto product design in Cambridge UK.

VWX September 12, 2015 11:59 AM


@Jacob – good point on incentives. I think there is an incalculable amount of productive work simply being held frozen in potentia due to the orwellian double speak going on. Schneier here is making some sad walk through the motions of how an informed political debate ought to vaguely transpire. But we are so far down the Snowden hole it’s actually more than a bit funny (and sad and horrific and all that too).

@Spaceman – there really aren’t that many jobs in crypto. Which is why I’ve given up any hope of seeing anything resembling a useful excercise in democratic policy making here. We should let Hillary win for no other reason than the world needs to solve it’s spouse beating problems before thinking it’s wise enough to tackle the ethical nuance of cryptography with the crude tool of democracy.

fhissen September 12, 2015 12:10 PM

Developer from Germany, but of course using software components from US/all over the world (regarding the crypto core):

Sue Heim September 12, 2015 12:26 PM

i don’t see Silent Circle mentioned. (Previously based in the U.S. But moved to Switzerland to ensure privacy and avoid legal pressures by U.S. Government Co-founded by Zimmerman, creator of PGP. ) I haven’t used their products but I know some of the original founders. They are encryption folks, emphatic about security and privacy.

(Full disclosure: I worked at PGP, then Symantec after the acquisition. Currently am working at Yubico, inventors of the YubiKey mentioned previously.)

Dan September 12, 2015 12:42 PM

Most SMB (Small-Medium Business) grade firewalls have VPN clients/servers included in them. For instance:

Of course, consumer routers can also run the open source DD-WRT which supports a VPN client.

Many NASes also support disk encryption. I just checked and both QNAP and Synology (both Taiwanese companies) not only support encryption, but provide chips that support AES-NI for hardware acceleration.

TJ Williams September 12, 2015 1:52 PM

@Clive Robinson: indeed! and we can add their subsidiary: nCipher

Similarly: Gemalto has acquired a crypto company: SafeNet

John Steinman September 12, 2015 3:50 PM

@Arthur: Well, do some research about Hacking Team and Kantonspolizei Zurich (KaPo) or ZUEGG. Then do some further research about Crypto AG… Having served with the Swiss radio pioneers, I believe I know the landscape of my country a bit. Sorry, to say that. It was different 20 years ago. I do not feel proud about it.

@Nick P: Seems you are in the picture about Crypto AG. I did not want to mention the issue myself. However, the issue is quite well known.

I can recommend the mechanical Swiss army Krypto-Funkfernschreiber (KFF). It is quite heavy hardware (some 10 kgs) but man it works! The VW bus had max. cruising speed of 60 km / h on the motorway. Gosh, that was embarrassing!


John Steinman September 12, 2015 4:24 PM

Googled encryption software from Singapore and from Taiwan (R.O.C.). No success. Hard to believe.

Trust me September 12, 2015 4:47 PM

Scramdisk is the deprecated precursor to Securstar’s DriveCrypt (already listed) that ran under Win9x/FAT32. It was created by an Englishman who realized he had to relocate his biz to Germany (I think) in order to keep distributing it and remain on the right side of the law. It was freeware and the developer had an ideological attitude to encryption. Like our Bruce does.

John Steinman September 12, 2015 4:57 PM

@Trust me: Yes, Scramdisk and E4M. They were somehow related. It is a complicated story. But you do not want to put Wilfried on the same level as Bruce, please… Wilfried is our very special friend, you know.

The Architect September 12, 2015 5:10 PM

cryptlib, Peter Guttman, New Zealand

Quoting from http://www.cs.auckland.ac.nz/~pgut001/cryptlib/index.html

At the highest level, cryptlib provides implementations of complete security services such as S/MIME and PGP/OpenPGP secure enveloping, SSL/TLS and SSH secure sessions, CA services such as CMP, SCEP, RTCS, and OCSP, and other security operations such as secure timestamping. Since cryptlib uses industry-standard X.509, S/MIME, PGP/OpenPGP, and SSH/SSL/TLS data formats, the resulting encrypted or signed data can be easily transported to other systems and processed there, and cryptlib itself runs on virtually any operating system – cryptlib doesn’t tie you to a single system. This allows email, files, and EDI transactions to be authenticated with digital signatures and encrypted in an industry-standard format.

cryptlib is supplied as source code for BeOS, DOS, IBM MVS, Macintosh/OS X, OS/2, Tandem, a variety of Unix versions (including AIX, Digital Unix, DGUX, FreeBSD/NetBSD/OpenBSD, HP-UX, IRIX, Linux, MP-RAS, OSF/1, QNX, SCO/UnixWare, Solaris, SunOS, Ultrix, and UTS4), VM/CMS, Windows 3.x, Windows 95/98/ME, Windows CE/PocketPC/SmartPhone and Windows NT/2000/XP/Vista/7. cryptlib’s highly portable nature means that it is also being used in a variety of custom embedded system environments including AMX, ChorusOS, eCos, FreeRTOS/OpenRTOS, uITRON, MQX, PalmOS, RTEMS, ThreadX, T-Kernel, uC/OS II, VDK, VxWorks, and XMK. In addition, cryptlib is available as a standard Windows DLL and an ActiveX control. Language bindings are available for C / C++, C# / .NET, Delphi, Java, Python, and Visual Basic (VB)

Nick Karras September 12, 2015 8:32 PM

NATO Partial List

VIASAT (Example only, numerous products that implement cryptographic features)




Your list will include thousands, if not tens of thousands, of individual products if you consider that virtually all defense-related equipment containing FGPAs has some sort of crypto code in it.

this might be of use for those who are interested in helping

David September 12, 2015 11:36 PM

Espionage 3 Crypto and Obfuscation App –Looks US based.


Espionage: simple, state of the art encryption and plausible deniability for your data.
Sometimes, encrypting your data isn’t enough to protect it. That’s why Espionage 3 goes beyond data encryption.
What happens if you’re forced to give up your password? In such situations, encryption won’t help at all. To address this, we went beyond encryption and introduced multiple layers of plausible deniability into Espionage. Read more…
Espionage 3 protects you even if you’re forced to give up your master password by giving you the ability to have multiple master passwords, each protecting an isolated set of folders. Every protected folder can also advertise completely different data, depending on whether it’s locked or unlocked.
Of course, that’s not say we skimped on the encryption. Espionage 3 is the most secure Espionage yet, featuring AES-256 encryption by default, and scrypt to protect your passwords from even the most powerful of adversaries.

Markus Ottela September 13, 2015 12:10 AM


So far I have
-at least one copy in cloud
-at least one copy on airgapped computer
-at least one copy hidden in a dead drop
-at least one copy printed on paper
-at least one copy in a place I did not mention above 😉

In the event the GitHub repo went down, I’d swap hosting to kapsi.fi or uni server (where the whitepaper is atm) or something similar.

@ Bruce Schneier:

I think this research will prove to be extremely useful when arguing why demanding front-back-doors is a fool’s errand. IMO you could even count free software developed and hosted within FVEY jurisdiction outside the control of these governments. While not impossible, it’s unlikely the intelligence establishment is issuing gag orders that demand injection of covert vulnerabilities, similar to those presented at underhanded C contest.

The slow yet inevitable direction in secure communication is, users will want to detach from PKI and switch to web of trust. Thus, distribution of malicious versions is going to become very difficult (compared to current situation where according to Appelbaum, NSA has CA resources). Furthermore, the Debian’s ReproducibleBuilds will make reviewing and compiling source much more attractive.

US based software not yet in this topic
-Wickr https://www.wickr.com/ (Proprietary)
-TextSecure and RedPhone https://whispersystems.org/ (GPL)

Non-US based software not yet in this topic
-Kadu http://www.kadu.im/w/English:Main_Page (GPL)
-Sicher http://www.shape.ag/en/ (proprietary)
-ChatSecure https://chatsecure.org/ (GPL)
-TFC CEV https://github.com/maqp/tfc-cev (GPL)

Olivier September 13, 2015 6:57 AM

SilentKeys is a hardware/software coming out shortly on Kickstarter – http://www.preev.io
It is developed in France. It could be described as a “smart” keyboard, as it contains a hardwired live OS, preconfigured with Tor and encrypted removable user storage.

renke September 13, 2015 8:49 AM

Astaro (still based in Germany but now a subsidiary of Sophos, UK) is sponsoring Linux kernel developers (security related stuff, like iptables)

John Veldhuis September 13, 2015 8:52 AM

Indeed Sophos is UK based. Its SafeGuard file based encryption software however is developed in Austria, how does that compute?

And could mr. Steinman please elaborate on this?

“Utimaco Safeware AG, GERMANY ==> has been hacked in the past!!!”

The only story I am aware of is Danish police finding a paper notebook with a password and claiming SafeGuard Easy “hacked”, so I’d like to know more.

ronys September 13, 2015 9:25 AM

Er, PasswordSafe:
– Open Source (hosted on SourceForge and GitHub, meaning that anyone can download and inspect the entire source code repository)
– Non of the currently active developers are US citizens or residents

Bill Montgomery September 13, 2015 9:43 AM

Panama based Connect In Private Corp. improved HP/Voltage’s Identity Based Encryption (IBE) patent in 15 ways. It’s secure end-to-end now and authenticates at the application layer. Connect with me on LinkedIn – pa.linkedin.com/pub/bill-montgomery/26/584/6b0

Michael September 13, 2015 10:02 AM

Speaking of Russia and GOST — there is an OpenSSL GOST engine. People working on it are mostly outside of USA and are capable to maintain an OpenSSL fork if it becomes needed.

Michael September 13, 2015 10:05 AM

There is Sodium cryptography library with the main developer apparently located in Paris. libsodium.org

herman September 13, 2015 12:32 PM

Pretty much each and every notable military electronics company in the whole wide world do their own encryption. It isn’t exactly rocket science.

r September 13, 2015 2:34 PM

@casssandra, that’s how I feel about this.

Intel is American.
AMD is American.
ARM is British.
Loongsoon although MIPS, was from the ground-up chinese.

Software is great, but it’s only as good or as bad as it’s host.

OpenSPARC.net says it’s completely open source?

Taz September 13, 2015 2:59 PM


Made in Kalifornia. Just purchased a bunch.


They’ll make your list – if they ever deliver.


Good product – wish I could trust it completely.(Hint requesting experts to look it over)

There also is a South African product destined for the Android? Pond(?) anonymous and encrypted messaging. http://arstechnica.com/security/2014/10/the-secure-smartphone-that-wont-get-you-beaten-with-rubber-hoses/

Russian? https://diskcryptor.net/wiki/Main_Page

Luks for Windows: https://github.com/t-d-k/LibreCrypt

Somchai September 13, 2015 2:59 PM


It is a new Thai company with some American and British ex-spook employees. They set up secure networks for individuals and small businesses. They teach people how to properly use TAILS and TOR. They advise on best practices for Windows and Linux users.

They also have a random number generator for end-users to generate their own symmetric keys for use in Vernam Cipher. Basically, they use Vernam Cipher over the internet, wrapped in a cascade of unweakened PGP or AES, sent over TOR via TAILS. Air-gapped netbooks are used to generate and store keys which are put in a metal box when not in use.

FreeSpeechWasAlwaysJustADream September 13, 2015 3:36 PM

@herman – LOL. If anything, crypto and neuroscience are precisely what qualifies as rocket science. Compared to what Bruce’s brain does for crypto, 95% of the rest of the jobs associated with these products are best thought of as glorified barbers trained to alert a doctor if they see a brain tumor growing through the skull. The sad fact of the matter is that we should thank god Israeli motorcycle assassins haven’t yet gotten to The Bruce. Because real crypto that actually works, requires precisely that level of intellectual, precisely as controllable in the big picture with motorcycle assassination.

Ken Goldsholl September 13, 2015 3:54 PM


x.o.ware (www.xoware.com) has just started shipping the XOnet and XOkey, which implement IPSec encryption on hardware. The XOkey is a USB crypto that creates an encrypted tunnel with an XOnet that has a trusted connection back to the Internet. In addition to providing secure access to the Internet over an open network, it also provides encrypted (AES256) access to a home network.

Later this year we will provide a free software upgrade that will allow XOnets to securely connect to other XOnets, enabling true end-to-end encryption. Keys are managed by the two devices, and are never accessible from any interface, as encryption and decryption are performed by their integrated crypto processors. While we use off-the-shelf IPSec, we implemented a peer key management system, so no third parties have access to keys.

Data never passes through third party servers; our servers are used just to enable the XOkey to find and connect to an XOnet. Ports are dynamically assigned for each connection.

Our long term goal is end-to-end encryption for all communications, with keys unique for each connection managed only in the hardware devices owned by each party.

Fred J September 13, 2015 11:55 PM

Steganos from Germany is an excellent product that allows encrypted files, folders, documents and the use of stenography to include encrypted data in pictures. https://www.steganos.com/en/

Used it for years. I also has a key-safe when you buy the suite.
Encrypted items can be sent as email attachments and will unlock themselves if the password is used.

Very point-and-shoot as well as cryptographically versatile.

JoachimS September 14, 2015 2:40 AM

Here are a list of both open/free and commercial products.

Nettle is a GPL:ed crypto library used in GnuTLS, but also in a lot of embedded settings. Nettle is developed and maintained by Niels Möller in Sweden:

Advenica is a Swedish company that manufactures both HW and SW based encryption products.

Tutus is a Swedish company that manufacturers firewalls, VPNs and encryptions products – both SW and HW:

Cryptech is an international open project that develops open Hardware Security Modules that includes both hardware and software. The project designs and implements radnom number generators, crypto, key storage etc. The project includes people from USA, Germany, Sweden, Russia, Japan etc.

JPK September 14, 2015 3:01 AM

Hey there,

wouldn’t it also be interesting to make a survey of the opinion re “strong encryption” of different countries? Does the Brazilian govt support strong encryption? What about Sweden, Ireland or France?

Together with a survey of non-US security products it would make a much stronger argument.

To kick things off:

The German govt said that they have no intention to weaken or even regulate (!) encryption. Official source is here: http://dipbt.bundestag.de/dip21/btd/18/051/1805144.pdf

“Die Entwicklung und durchgängige Verwendung vertrauens-
würdiger IT-Sicherheitstechnologien ist von entscheidender Bedeutung für
Unternehmen, Verwaltung und Bürger in unserer heutigen Informationsgesell-
schaft. Daher wird die gezielte Schwächung oder Regulierung von Verschlüsse-
lungstechniken von der Bundesregierung nicht verfolgt.” p. 4 / question 10

Asdeoifef September 14, 2015 4:00 AM

spideroak.com, American file storage. Claims full end-to-end encryption and a system of layered volumes which allows flexibility and deduplication.

Patriot September 14, 2015 5:12 AM

@Somchai- that was an exaggeration

If one goes through this excellent list of companies it becomes clear that a whole lot of people are making serious efforts to turn the tide against en masse, life-time surveillance (What amazing and innovative products! ie. Darkmail, Tutanota, and Tomb!). The point, not often made, is that such often illegal surveillance is extremely profitable for a lot of people. Otherwise, it would not be happening, and it would not continue. You cannot take an oath to protect and defend the Constitution while you wipe your ass with it every day. Something is amiss. It is cheap to collect on you, on a per person basis, and that is part of the profit.

For someone on defense it is hard to even get a piece of bread, and it is hard to pass legal hurdles. That is ironic, almost a bad joke.

Our small group in Bangkok is surprised that more companies across the world have not taken the approach of having the end-user generate his or her own symmetric keys for use in Vernam encryption. The main problem for secure messaging can be seen as one of key generation. Sharing keys might pose difficulties, but then again it might not ie. put the keys in your pal’s hand. Widespread use of old school Vernam encryption and shared keys would put a nail in the coffin of en masse collection because such collection would be rendered pretty much meaningless (used along with measures to eliminate metacontent) and the price of surveillance would skyrocket. In fact, surveillance would become too difficult and too expensive.

We are trying. pcoms@cmail.nu https://patriotcomsec.net

Dirk Praet September 14, 2015 5:24 AM

@ Bruce

  • Tahoe LAFS: “free and open decentralized cloud storage system. It distributes your data across multiple servers. Even if some of the servers fail or are taken over by an attacker, the entire file store continues to function correctly, preserving your privacy and security”.

@ John Steinman

A word of warning: Western German encryption software must incorporate a backdoor. That’s the law.

No, it isn’t. That’s the second time in a few months that someone is making this claim on this forum and, when asked to substantiate, replies with “ask a German lawyer”. Last time this came up, I eventually got in touch with some of my contacts in Berlin and Hamburg. None of the folks in legal they talked to could confirm your statement. They actually called it “Blödsinn” (nonsense).

Equally telling is that not even our resident German NSA apologist @Rolf Weber seems to support your claim. You can summon him by saying the magic words “direct access”.

What makes it even more interesting is that you’re also warning against Swiss software because Hornet is being developed by ETH Zürich, which is the Swiss equivalent of MIT in the US. So it’s “guilt by association” because they also host the Forensic Institute of the Zurich County Police ? That’s not even remotely making sense. And so what if some Swiss agencies enquired into or even bought Hacking Team software? Everybody did, and I guess they have needs to.

Protonmail.ch. That company does not comply with the country’s data retention law, hence in my opinion it operates outside the legal system.

No, they don’t. Protonmail covers the legal aspects of their service quite well on this here page.

Utimaco Safeware AG, GERMANY ==> has been hacked in the past!!!

Again: please elaborate when making this sort of allegations. Are we to just
take your word for it?

TrueCrypt has found a place here ==> https://truecrypt.ch/

Didn’t you just warn against Switzerland-based stuff ?

… encryption software from the Five Eyes and the EU should be avoided …

Still you’re recommending Bestcrypt from Jetico. Last time I checked Finland was in the EU.

The TC forks are not that useful, since – in theory – they also should be audited

They are actually very useful. Besides offering several enhancements and loading/converting Truecrypt volumes, Veracrypt also pretends to solve all major security issues and weaknesses discovered in part 1 of the Truecrypt audit. So what’s not to like?

I do not speak mexican

People actually speak Spanish over there.

In short: not only are you spreading FUD, you’re also contradicting yourself all over the place.

trebla September 14, 2015 7:12 AM

@justin Petter only mentioned some standards that the product has passed. That is not classified information.

Arthur September 14, 2015 9:20 AM

Protonmail covers the legal aspects of their service quite well on this here page ( https://blog.protonmail.ch/switzerland/ )

And open source. ( https://blog.protonmail.ch/protonmail-open-source-crytography/ )
When you create a new internet service in your own country you don’t have to explain why you choose that country.

Is Macy’s explains why they are located in United States ?

A safe haven for US digital refugees 🙂
Thanks E.Snowden.

I recommend it.

TascoBlossom September 14, 2015 9:41 AM

@Dirk Praet

There’s something altogether wrong about many comments. The whole point is to collect info about cryto apps and tools originating outside the US and the UK.

Evidently, the purpose of this is to bolster arguments that domestic controls / restrictions are pointless. I doubt the tactic will succeed, but many of the comments digressed into a case for rejecting all US and UK software and that only stuff from Mars can be trusted. After all, if it’s from the US it MUST have a backdoor, right? That’s dumb, for a dozen reasons.

TascoBlossom September 14, 2015 10:13 AM

@Dirk Praet – you might want to compare the Tahoe system to Cleversafe, among others. They’ve been doing that for a long time. Cleversafe is perfect if you need to store information to protect against global calamity, some kind of huge disaster.

The problem is, to achieve the redundancy of the Tahoe system, you have to multiply the storage requirments. That is where Cleversafe started out many years ago. The costs were too high so they developed a compromise – reduced redundancy with reduced security… some kind of trade-off.

The distributed safety that Tahoe describes sounds good. Many are thinking about distributed storage now. But some think they can chop up an encrypted file into parts and spread them all over, or first chop up a file into parts and then encrypt each separately. It’s a mess and doesn’t accomplish anything. Combining encryption with the distributed m n scheme is unsustainable and it is NOT easy to use.

There are countless apps and services that claim the high-ground in encrypting the file locally BEFORE it is uploaded to storage. SpiderOak has been doing that for years. A recent failed KickStarter project offered to encrypt your files and then chop them up into pieces before storing them in various servers around the world. The problem is, you have to FIRST UPLOAD IT TO THEIR SERVER. Sound familiar?

Sancho_P September 14, 2015 10:26 AM


”After all, if it’s from the US it MUST have a backdoor, right?”

I think that’s not behind. It’s likely something similar to how easy would it be to hamper strong encryption worldwide if the USG gets down to the balls of their manufacturers.
So clearly there is fear that NATO and “free trade” partners would bow to the new liberty ideas of the USG, therefore @Bruce’ question regarding products out of the “new western ideology” (IMO).

How would a Chinese backdoored encryption enable the US spies to steal information from some (e.g. gov) user in France?
Could the Chinese use their access in France?
That’s the point.

Dirk Praet September 14, 2015 11:42 AM

@ TascoBlossom

The problem is, you have to FIRST UPLOAD IT TO THEIR SERVER. Sound familiar?

Yup. One of the reasons I like Tahoe LAFS is because it integrates well with I2P. IPFS is another distributed file system with interesting potential. In essence, it’s a high performance, peer to peer content distribution network. A while ago, I read a really neat manual on how to make it work with Freenet, but I can’t seem to find that reference right now.

Regarding encryption before upload to whatever cloud storage, there’s plenty of manuals out there to use TC containers. Boxcryptor Classic is an acceptable solution for less technical folks, and is compatible with *nix systems supporting EncFS.

After all, if it’s from the US it MUST have a backdoor, right?

Not necessarily, but Lavabit, Surespot and the like have shown that compromise is only an NSL or FISC order away. So I’d rather take my changes with companies working out of Switserland, Iceland or even Germany. These countries have reasonable privacy and data protection laws in place, and there’s no Comey’s whining over “going dark” and calling for a public debate while at the same time trying to kick in the front door through some secret, non-adversarial kangaroo court.

@ Sancho_P

So clearly there is fear that NATO and “free trade” partners would bow to the new liberty ideas of the USG

Nail on the head.

Could the Chinese use their access in France?

For years, the Chinese have (unsuccessfully) been trying to defenestrate their country where over 95% of all desktops/laptops are running Windows. The Red Star OS manufacturer failed miserably and went out of business a while ago. They are now trying again with the Ubuntu inspired NeoKylin OS, developed in part by the Chinese military. About 40% of new Dell machines sold in China now come with NeoKylin pre-loaded. I however kinda doubt that it will ever take off over here 😎

It would be kind a cool, though, to have all Windows desktops at the European Institutions replaced by NeoKylin or some Russian alternative and watch the USG and its IC go completely berserk.

Jim Burrows September 14, 2015 1:10 PM

Sue Helm already mention Silent Circle, and the URL is trivial, but just to insure that it is in the list, they can be found at https://silentcircle.com/

They are a Swiss company, as Sue pointed out.

And for the sake of full disclosure, while I served as VP of Engineering and then VP of Advanced Development, I am no longer with the company.

John Steinman September 14, 2015 1:10 PM

@Dirk Praet: Hiya Dirk. Have read your response. Won’t contradict you. Only experience can teach. I was with the Radio Pioneers & know several generations of encryption hardware. Best Regards.

Arthur September 14, 2015 1:26 PM

GhostMail Headquarters in Switzerland, branch in Denmark

” Bunker Protected

Our servers are placed in a high-tech Swedish nuclear bunker 30 meters under
bedrock. The bunker is one of the most securely guarded data centers in the

Servers in Sweden ?


TascoBlossom September 14, 2015 1:56 PM

@Dirk Praet – Boxcryptor encrypts each file with it’s own key file (sounds OK), each in turn dependent on your private key. But lose control of your machine and the only thing standing in the way of total compromise is your password. A chain is only as strong as its weakest link. The password is such a weak link – no matter how much they chop and dice it – that other container-type solutions like encrypted flash drives resort to destroying your files if someone enters the wrong password several times. AES 256? If it’s so strong, then why would they have to blow all your files away? That’s because a single password is at the top of the chain.

I’m not being critical – my point is that there is an imbalance of fear being displayed. Worried about the Lavabit scenario? This is equally problematic. Many here distrust MS and think Windows is all spyware, but Boxcryptor writes to the Registry and that’s why you need admin privileges to install. It is incorporated into File Explorer. Boxcryptor does a lot more than just encrypt files with AES256. I think their download is over 100M! Do you know anything about the internals? When Boxcryptor is through getting all your personal information, do they send you the source code to inspect? I doubt it. Now compare these concerns to the “this country vs that country” obsession and I hope you can see my point.

Tahoe LAFS – where is the gateway? Or, WHO is the gateway?

BTW Peer-to-peer smacks of PGP.

TascoBlossom September 14, 2015 2:04 PM

@Jim Burrows – is SilentCircle REALLY a Swiss company, or did PZ just move there? The USG can use tax laws and bring any number of other guns to bear if needed. Opening an office in Bern isn’t a panacea and I wonder if it’s in fact, just a PR stunt.

OneOfThoseGermansThatDoNotDrinkBeer September 14, 2015 2:52 PM

I’m not sure if “compiling a list” doesn’t simply make the job easier for some. It might as well be misinterpreted as a “list of high-potential things to target”. 😉

Anyway… the latest news on a suggestion posted here states (quote) “Bundesdruckerei GmbH has acquired a 52 percent share in the German IT security specialist genua gmbh.” – which practically means “genua.de” is now state-controlled and should most probably be scratched from the list of suggestions (depending on the level of your individual tin-foil-hat syndrome).

mrjones September 14, 2015 4:01 PM

Two open source projects I haven’t seen mentioned are:

  • tinc – A Netherlands based, “Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet”
  • miniLock – A US (?) based, “small, portable file encryption software.”

Sancho_P September 14, 2015 5:45 PM

@Dirk Praet
re ”Could the Chinese use their access in France?”

Not sure if what I meant came out correctly:
Assume the West only has US – backdoored “encrypted” e.g. chat apps.
Now we install a Chinese encrypted (+probably Chinese) backdoored chat.
(Would the western secret services have access to our comm? Haha)

But my question was: Would the Chinese spies now have access to our comm?
(a question of networking / fiber access as I guess, and I’d hope we are protected from that by our western national security – yes, only hope, see OPM)

Dirk Praet September 14, 2015 7:06 PM

@ TascoBlossom

… but Boxcryptor writes to the Registry and that’s why you need admin privileges to install.

There’s also a portable version of Boxcryptor Classic that doesn’t. I’m well-aware of the fact that it’s game over once an attacker gets hold of your password. The same goes for a lot of other, if not most encryption products.

Although I agree with most of your remarks, I explicitly said that this particular piece of software is “an acceptable solution for less technical folks”. It all depends on your threat model. For the security-illiterate average Joe who just wants to protect his cloud storage against script kiddies, cyber criminals and snooping corporations, an easy-to-use product like Boxcryptor is a good fit. If Joe is a political activist or in any other way a person of interest to LE or other state actors, then he’s definitely better of with a different approach, different products, a different infrastructure and ditto OPSEC.

The question everyone has to answer for himself is to which degree you value your privacy and the confidentiality of your data and communications, whether or not you have something to hide. Most people I know have pin codes and passwords on their smartphones, tablets, laptops and other digital devices because they wish to avoid other people snooping on their documents, text messages, chats, contacts etc.

Once they realise that the real intruder to protect from is actually hiding inside – i.e. providers, spyware, malicious apps, insecure OS’es, backdoors and the like -, it stands to reason that countermeasures will be looked into. This applies even more to businesses – private and public – than to private persons. In this context, one of the logical things to do is to avoid products that are backdoored or known (or suspected) to track your every move. Another one is to avoid companies that fall under the jurisdiction of governments that have weak privacy or data protection laws or are known to collaborate with such governments, either voluntary or coerced.

So this is not about “obsessing about countries of origin”, but from a security vantage just plane risk management and mitigation of one of many different attack surfaces.

Dirk Praet September 14, 2015 7:25 PM

@ Sancho_P

But my question was: Would the Chinese spies now have access to our comm?

It would be naive to think that the Chinese are not spying on us. They’re probably just having a significantly harder time doing so than their US/UK counterparts.

John September 15, 2015 1:21 AM

I’ve search the list and I didn’t find the Free and Open Source software “Academic Signature” listed.

Academic Signature (main web site – SSL/TLS enable)
Academic Signature (official mirror domain)

“Academic Signature” is a project developed by Prof. Dr. Michael Anders from Germany.

This software can be used to: Digital Sign files; Encipher files; Digital Sign and Encipher files; Digital Sign with computer time (Timestamp)… all of this using Elliptic Curve keys. Also allows for symmetric cipher/ decipher of files. And also allows to calculate hash of file.

It includes it’s own made algorithms (several hash and cipher “Fleas” family) according to the author to make it 100% free of NSA standards none sense limitations, and known ones like: SHA256, SHA512, JH, Skein (1024 bit), AES (256 bit), Threefish (1024 bit)… for those users that like to use known (in the security community) crypt algorithms.

The ECC key used for the signature and cipher operations is available in two flavours: NIST Curves (256 up to 512 bit) and the author own ECC key curve (that according to author is very easy to make (the keys themselves) and confirm that is backdoor free) called “anders” (256 up to 1024 bit) being the “anders_1024_2” the most secured one with no optimizations for speed.

Dan September 15, 2015 2:37 AM

There is also SoftEther, an open source, software-based VPN that runs on Windows, Linux, OSX, Android, iOS, Solaris, and FreeBSD: https://www.softether.org/. It is similar to OpenVPN.

The project is based out of the University of Tsukuba in Japan.

Michael Anders September 15, 2015 8:05 AM

@ John Steinman
“A word of warning: Western German encryption software must incorporate a backdoor. That’s the law.”

I haven’t heard about such a law, neither have I been approached by German law enforcement. My Open source project “Academic Signature” has alredy been mentioned https://www.fh-wedel.de/~an/crypto/Academic_signature_eng.html
My thanks to the other John, who put it here on Bruce’s list. Whoever you are!

The source is open. Show me the backdoor John Steinman 🙂
You won’t be able to get 1024 bit ecc from a five eyes country(NIST’s 521 is the limit), you can get it from Germany.

Cassandra September 15, 2015 8:25 AM


Re: OpenSPARC.net says it’s completely open source?

The design may be Open Source, but you will have difficulty in finding a fab that can manufacture it without using non-open source and/or non-free (libre) tools. There are very few tools available that can take a design and lay it out on a chip. How can you be sure that the layout program hasn’t added a few thousand gates that add an elegant back-door?

The issue is not only confined to cpus. You also need to ensure that any supporting chips such as i/o controllers, graphics controllers, networking devices, USB devices, memory controllers etc are not compromised.

There are a limited number of companies that are able to produce VLSI hardware, which means there is a limited group of people that need to be subverted and/or compromised by state actors.

Unless you can build hardware as independently as software, it is a hard problem to solve. There are no backyard/garage fabs.

Think of an Ethernet controller – it likely has Direct Memory Access to its host, and a route to the outside world. It can be activated by a specially crafted datagram – see the advertised capabilities of this Intel Etherne controller:


“Filtering and redirection for management packets
Support for serial text and keyboard redirection and remote floppy/CD”

The capabilities are sold for enabling remote management of servers in data-centres. But nothing stops Intel, or other suppliers, from building such capabilities into all controllers, and simply not saying they are there.

Building hardware that can be trusted by the end-user is hard. You cannot fix a system subverted at the hardware level by clever software running on that system.

Anders September 15, 2015 1:29 PM

Non-US email providers who use encryption and has not been mentioned yet:

A list of VPN-providers, some/many of them outside the US:
I’ll be happy to go through all of them and come back with a list of the non-US VPN’s, if it’s relevant. Let me know!

September 15, 2015 2:34 PM

Vim 7.3+ includes built-in Blowfish encryption for encrypting files. Thank you Bruce for creating Blowfish!

somebody September 16, 2015 2:28 AM

ccrypt – available in Linux (ie Debian) repositories, from Canada
Bouncy Castle Australia
Private Disk – Republic of Moldova
Geli – FreeBSD encryption, Poland
SoftEther VPN – Japan http://www.softether.org
Dropbear – SSH implementation, Australia https://matt.ucc.asn.au/dropbear/dropbear.html

Dirk Praet September 16, 2015 3:57 AM

@ Michael Anders

Re. https://www.fh-wedel.de/~an/crypto/Academic_signature_eng.html

Interesting project. Gave it a testdrive and it’s looking really neat. I did run into a couple of issues when compiling on current TAILS version 1.5.1, so you may wish to update your TAILS man page with the following:

  • Before adding additional packages through Synaptic package manager, run ‘sudo apt-get update’. This implies you have set a root password when booting TAILS.
  • In Synaptic (Applications, System Tools, Administration), select the following three packages: make, g++ and libwxgtk2.8-dev. A number of additional dependencies will be taken care of automatically. This will take up about 75Mb. of additional disk space.
  • At first attempt, compilation barfs up with an error in src/dolonu.cpp around line 231. There seems to be something wrong with the ‘#ifdef WX28’ condition, which incorrectly includes the code for a higher version of WXWidgets instead of that for version 2.8 installed by default on TAILS. Since I am a lazy person, I just hacked out the entire conditional group and left in the one line applicable to v2.8. Everything compiled and ran fine from there.

Cheers, and keep up the good work. Gimme a ping if you have read this, otherwise I’ll send it by mail.

Michael Anders September 16, 2015 10:23 AM

Thanks Dirk, in fact I haven’t looked at the TAILS page for a while and I really appreciate your comments.
I will try to get at it as soon as possible.
Having a look at my logs revealed that some substantial additional download traffic came via the posts in this list. Thank you guys – and it is heartwarming to see that many of you come in via TOR.

Kaosagnt September 16, 2015 11:51 PM



Duplicity backs directories by producing encrypted tar-format volumes and uploading them to a remote or local file server. Because duplicity uses librsync, the incremental archives are space efficient and only record the parts of files that have changed since the last backup. Because duplicity uses GnuPG to encrypt and/or sign these archives, they will be safe from spying and/or modification by the server.

herman September 17, 2015 1:40 AM

As I mentioned above, the aerospace and military companies in the rest of the world have cryptographers and mathematicians on staff. This is not rocket science.

The funny thing is that I was immediately shot down for daring to say so.

The USA is not the centre of the world – it is just an artifact of how they print their maps. More aerospace systems are built in the rest of the world than in the USA and all those things make heavy use of compression, error coding and encryption.

The USA never had a monopoly on encryption tech and thinking that it can suppress knowledge by restricting export of cypher equipment only hurts their own industry and European, BRICS and other companies are laughing all the way to the bank.

rgaff September 17, 2015 5:26 AM

@ herman

“The USA never had a monopoly on encryption tech and thinking that it can suppress knowledge by restricting export of cypher equipment only hurts their own industry and European, BRICS and other companies are laughing all the way to the bank.”

As an American myself, this is exactly what I’ve always argued too… It is good to see a few non-Americans that aren’t swallowing the American line… Keep it up you all, don’t let my government successfully enslave you all, and I’ll do what I can from this end too. (And if I ever insult you, it’s only meant to stimulate more of you to action)

ah September 17, 2015 7:35 AM

Here in Israel there are several companies with world-class crypto teams. I’m sure you don’t need me to spell their names. We build both software and hardware products that can meet the most demanding military, elint and aerospace specs, or alternatively commercial cost-effective requirements.

The point is that the availability of a product is a direct result of supply and demand forces. Lots of stuff gets developed here and marketed by US vendors, for the simple reason that they have a better marketing reach. Sterilize those US vendors, and new products will show up under the next-best jurisdiction.

ah September 17, 2015 12:50 PM

Continuing my previous post, here is a PARTIAL list of the larger Israeli infosec companies.


http://www.checkpoint.com/ – Network, data & endpoint security

http://www.cyren.com/ – Web & email security

http://www.cyberark.com/ – Information security

http://www.elbitsystems.com/ – MIL stuff, has several cyber subsidiaries

http://www.imperva.com/ – Data & application security

http://www.nice.com/ – Audio surveillance

http://www.radware.com/ – Network security

http://varonis.com/ – Data protection

http://www.verint.com/ – Video surveillance

Other Public Companies:

http://www.telemessage.com/ – Secure messaging

http://www.vglnt.com/ – Digital surveillance

Other Large Companies:

http://www.iai.co.il/17887-en/Groups_ELTA.aspx – Military stuff, incl. SIGINT, EW, etc.

http://www.elisra.com/ – ditto

http://www.imi-israel.com/ – ditto

In addition, Israel is a company-making country with dozens of security startups and a record of many exists, around $4 billion annually, ~1,000 hi-tech exists in the past 10 years. Typically the acquirers keep the acquired company as an Israeli R&D center. Should US legislation change, would it be that hard to divest these R&D centers? here’s a tiny sample of relevant exits:

http://www.aladdin.com/ – DRM, identity mgt., sold to SafeNet

Mirabilis (makers of ICQ messanger) – sold to AOL

Cyota – Okay, you said no financial security, I just added it as an example of an Israeli company acquired by RSA (much of RSA has actually started in Israel)

http://www.nds.com/ – TV access control systems, acquired by Cisco

I doubt if there is a single large US technology vendor that doesn’t have an R&D center in Israel, and I’m quite confident (based on my personal acquaintance) all these centers deal, among other, in security.

LVJ September 18, 2015 4:08 AM

pEp – pretty Easy privacy

Changes the default from unencrypted and unprotected to encrypted and anonymized on all written digital channels

Swiss – Luxembourg based

  • end-to-end, peer-to-peer, no central infrastructure, open-source with a swiss foundation, will use best crypto based on capabilities of the communication partner (OTR, GNUnet, PGP, S/MIME, nothing)
  • works with existing standards like PGP, S/MIME, … and fixes some of the PGP shortcomings
  • encrypts subject, will anonymize meta-data, handles all keymanagement automatically and uses trust words for the handshake/fingerprint

Single engine able to run on Linux, Windows, OSX, Android, iOS, …

Will power next version of Enigmail – providing a different ease of use

About to launch commercially with a external code-review published at the same time


Andy September 18, 2015 4:50 AM

Armour Communications (www.armourcomms.com) is a UK supplier of voice, video and messaging encryption products for mobile devices.

Neil Ferguson September 18, 2015 4:36 PM

Hello Bruce,

I’d like to suggest several small encryption programs written
by an Australian author.

There are several small portable encryption applications that
were written in the early 2000’s by Dariusz Stanislawek.

There are several of these small programs:

dsCrypt – SureCrypt – WildCrypt – DSE

Most use AES/Rijndael file encryption and have some nice features,
with some having limited brute force protection, and keyfiles.

All are freeware, and the source code is available for each.

These are still widely available on most freeware sites, such as
Freeware Files, but the authors web site is now archived on the
Wayback machine here:


There’s also a comparison of the features of each here:


Alternatively, dsCrypt on Freeware Files:


I’ve used dsCrypt for many years due to it’s portability, small
size, features and encryption speed.

(As I’m not a technical person I can’t comment on the implementation
of the AES algorithm, although the source code is available for those
people who are).

As you’ve pointed out, products such as these are not much use
against an adversary who’s serious about their work and is holding a
nail gun against your foot, but against someone less committed to
their work products such as these are quite useful to have.

I think these small programs are useful additions to your list.

Kind regards,
Neil Ferguson

(No offence intended, but the email address I’ve used is a
disposable one, as the form needed one so I could submit it).

Frank September 20, 2015 2:30 PM

Firechat’s announcement that it will [seek to] provide end-to-end encrypted messaging is a positive step for privacy,” said Richard Tynan, a technologist at Privacy International.

“However, it remains to be seen whether the quality of these implementations actually lives up to the claims.

“For many at risk individuals, the security of their communications can be a matter of life and death.

Cassandra September 20, 2015 3:58 PM

Just to illustrate the extent of the problem regarding compromise of standard computing hardware, it is instructive to read the Libreboot FAQ, and the answer to the question “Why is the latest Intel hardware unsupported in libreboot? “:


It is all very well having carefully designed software that correctly implements well-regarded cryptographic algorithms. The problem is, you are likely to be running that software on compromised hardware. If you are at all concerned about operational security, you should be worried.

Dirk Praet September 21, 2015 6:46 PM

I have been tinkering quite a bit with TAILS and Whonix lately, as in adding additional software I regularly use as well as customising the look and feel.

In the process I came accross Subgraph OS and Mail. It’s still under development, but looks pretty neat. Like TAILS and Whonix, it comes with Tor but also adds a Grsecurity/PaX hardened kernel and application container isolation. Free and open source.

Wael September 24, 2015 2:04 AM


sorry, I couldn’t find an english Version of that description

Does this SINA description match what you referenced? It doesn’t sound like commercial material 😉

Ingo September 24, 2015 2:50 AM

SINA for high-security has been developed in cooperation with the BSI (Federal Office for Information Security).
They use another BSI’s crypto-algorithm and have a separate hardware (a PCI-board “PEPP1”, containing a chip named “PLUTO”).
But I don’t know wether that hardware is available for a non-governmental use.

David Turner December 8, 2015 2:13 PM

This is our own software application that sits on top of one of the other products in the list already : AxCrypt which is the underlying encryption tool. We expand on the features of Axcyrpt adding compression, ability to encrypt multiple folders in view and don’t store any passcode or phrase on the owners machine.

ASmith December 10, 2015 4:53 PM

GostCrypt a powerful 512bit non-USA/UK Symmetric Encryption YOU Should Have and use.

GostCrypt a fork of the TrueCrypt 7.1a project decided early on to entirely depart from the old, likely broken or weakened USA/UK ciphers in TrueCrypt and entirely focused on the strong, rugged Gost symmetric encryption cipher. Updating that to the 2012 512bit release and then expanding on that.

It appeared to me many years ago that USA/UK agencys had spent $Millions to fund various researchers with the specific agenda to post negative articles against the use of the older Gost256bit symmetric cipher while at the same time pushing approval and wide spread use of the weaker AES256bit standard.

This despite Gost256 using a full 28 round cycle (vs 14 rounds AES256) and a secret or randomized S-Table allocation (vs a known set S-Table allocation) which served to cut off many attack vectors AES256bit fell prey to. Those articles simply didn’t make sense to me looking at the facts, they did make sense if USA/UK agencys deliberately attempted to portray Gost as weaker than the AES256 bit standard they wanted everyone to use.

GostCrypt bumps up the older Gost256bit cipher to a full new 2012 Gost 512 standard and is moving to further more advanced non-USA/UK symmetric ciphers and not looking back. I recommend anyone that is seeking strong encryption of files and information to look at GostCrypt and abandon USA/UK pushed widely used encryption ciphers and hardware as possible. Smart devices with LSI (in house large scale integrated) chips marked ‘Made in USA’ should raise at least the yellow flag of caution now.

GOST R 34.11-2012 (512-bit)

BA December 10, 2015 9:13 PM

Due-diligenced IronKey: verdict – unhappy.

VeraCrypt plus a plain, ruggedized USB key is the way to go. (Place VeraCrypt installers in unencrypted area.)

Dirk Praet December 10, 2015 9:43 PM

@ ASmith

I took it for a spin and it doesn’t look bad. But Veracrypt does seem to be maintained quite a bit better as GhostCrypt looks stuck on version 1.0 since last year. Anyway, I added it to my TAILS Candy package for folks interested in running it on TAILS.

DeftNerd December 10, 2015 9:49 PM

You can find an incredible curated list of privacy and encryption products and services at https://www.privacytools.io/

It lists VPN providers, email providers, cloud storage, private search engines, messenger apps, encrypted video chat apps, file encryption software, and more.

Tommi Rasila January 4, 2016 2:37 PM

@ Jacob

Correct, you can not really “prove” that there are no backdoors without a third party inspecting the source code before every published SW version, which is not only unpractical and still leaves room for speculation. So another way to tackle the issue is to think whether there is requirements by regulatory bodies or other political pressure to have backdoors. And if there is no legislation pressing us to have any backdoors, from a security company’s POV there is absolutely no sense in having them.

@ Dirk Praet

Yes, Finland is an EU country but there is no EU-wide legislation that would require us as a Finnish company to have backdoor or any other weakening in our software. And I do not know why encryption made in EU should be avoided in general.

To both Jacob and Dirk I would like to tell that as a board member of Finnish Information Security Cluster (www.fisc.fi) I had the pleasure of taking part in a hearing organized between this association and representatives of Finnish Ministry of Internal Affairs, Ministry of Justice and Finnish Security Intelligence Service in early November. This was due to the fact that the legislation about security intelligence is being modernized in Finland and they wanted to hear the companies opinions and concerns about the subject. In the meeting the legislators representatives confirmed that there will not be any discussions about backdoors or such as these will be ruled out in the legislation – Finland is a country in which there are not and will not be any backdoors required. Other FISC board members present included representatives from companies companies such as F-Secure, SSH and Nixu.

Hence, there is no political or regulatory reasoning to do it, and definitely no business reasoning for us to incorporate backdoors in our products. So can someone tell me why would we have backdoor in our product?

I am glad to take part in the conversation and will try to ask any questions if needed.

@ John Steinman

Thanks for bringing us up in the conversation!

Dirk Praet January 4, 2016 4:26 PM

@ Tommi Rasila

And I do not know why encryption made in EU should be avoided in general.

Neither do I. Please re-read my comments. One @John Steinman made a number of unsubstantiated allegations about backdoors in German encryption software and avoiding EU encryption. Which I asked him a series of questions about because they all sounded like total felgerkarb to me.

As to Finland, I don’t have any reason to believe at this point that the Finnish administration holds similar beliefs on the issue as for example the UK or Sweden do.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.