Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Should I Encrypt the Data on My Laptop?

Question:

My wife needs to encrypt patient files on her laptop.

She has been encrypting individual files, but I wonder if you recommend a program that will encrypt folders. e.g. her Documents folder?

Is there a way to encrypt a hard drive or partition?

Encrypting individual files is perhaps the least efficient way of protecting data. There’s also a serious potential for data leakage, as you must securely delete the unencrypted files after encrypting them. Most people don’t do that.

There are three basic approaches to securing data on a laptop. Which is most appropriate for you or your wife depends a little on how conscientious you are and a little on how geeky you are. Of course, all methods depend on how religious you are about backing up.

Become a Patron of Ask Leo! and go ad-free!

Whole-disk encryption

Once implemented, this is probably the easiest, most transparent approach to encryption. The good news is that it’s typically built right into the operating system.

The way it works is simple: you instruct the OS to encrypt the drive. Some time later (usually hours), the job completes and the data stored on the hard drive is encrypted.

Logging in to your machine “unlocks” the encryption. Once you log in, you use your computer as usual. That the data is encrypted on disk is completely transparent to you.

The good news here is that absolutely everything on the disk is encrypted: your data files, programs, the operating system, temporary files — even the “empty” unused space between files, which can often contain remnants of files that existed previously. And, as I said, you don’t need to change the way you use your machine. As long as you can log in, you can access your data.

If you can’t log in — as in you’re someone who’s just stolen the computer — the data is inaccessible to you. Period.

The biggest risk is that everything is accessible if you’re logged in. For true security, you never use sleep or hibernate modes, and always shut down your computer when walking away from it in a compromised area.

How Do I Encrypt a Disk? covers encrypting a disk using BitLocker in Windows.

Container encryption

There’s no practical “folder” encryption in Windows. You can mark a folder to be encrypted, and it behaves much like the whole-disk encryption described above. If you can log in, you can access it, and if you can’t log in, you can’t. If you’re considering this path, I’d probably go whole-disk anyway, since it avoids the whole issue of leaving traces via temporary and remnant files.

Otherwise, the more general approach is to create an encrypted “container” using a tool like VeraCrypt (the successor to TrueCrypt).

This technique creates a single (usually large) file that contains your data. Because the contents are encrypted, the file looks like random data. You access the data by “mounting” the file, at which point its contents appear as another drive. You access the files on that drive normally; they’re transparently decrypted when read and encrypted when written to disk.

Mounting requires you to know the passphrase for the container. As long as the container is not mounted, the files don’t appear and cannot be accessed. Once you mount it, supplying the correct passphrase, you can access its contents.

What’s handy about containers is that they’re portable. You can copy a container file (even without knowing its passphrase) to other machines, and open the container (as long as you do know the passphrase) there. It’s a single file that contains everything of import, and once mounted, you access the contents just like any other file.

The downside is that the program you use to access the file — say your word processor — may make temporary files outside of the encrypted container. Depending on how sensitive your data is, you’ll probably want to get into a habit of making sure those temporary files are deleted and the newly free space is wiped when you’re done.

Transparent file-by-file encryption

This is a file-by-file variant on container encryption. It was developed specifically for cloud storage providers such as Dropbox or OneDrive. You want to be able to encrypt files stored using those services, but you don’t want to have to upload an entire encrypted container every time one small file therein changes. File-by-file encryption solves this.

Using tools like BoxCryptor or the free Cryptomator, instead of creating a separate container file, you simply designate an existing folder on your machine to be the container. Like a container, you then “mount” the folder using the encryption software, and it appears as a separate disk drive on your machine. Data written to that drive is encrypted and written to the folder. Data read from that drive is read from the folder and decrypted.

While unmounted, the folder you designate contains nothing but encrypted and inaccessible files. Once mounted — after specifying the correct passphrase, of course — the drive makes them all accessible in unencrypted form.

The same downsides apply as to encrypted containers: unencrypted temporary and other files can be left outside the container, depending on how your programs work.

But file-by-file encryption is ideal when protecting data that might be copied to cloud storage. I have a substantial portion of my OneDrive protected in this manner.

A word about backing up

Always back up the unencrypted data. Secure it some other way.

I say that because depending on the algorithms used, or the situation you find yourself in, you could find yourself with encrypted data that cannot be decrypted. Be it losing a log-in password, hard drive corruption, or something else, it’s not uncommon to find yourself in a situation that’s so secure you can’t even access the files yourself.

Back up your data in its unencrypted form. Depending on exactly how you back up, you might secure it physically, by storing those backups in a secure location, or secure them by password-protecting the backups themselves, if the backup software supports it.

But I strongly recommend against blindly backing up encrypted files.

Which is right for you?

I can’t say what’s right for you.

Whole disk encryption is, perhaps, the most transparent and easiest-to-use method once implemented. Just remember that should you be unable to log in to your machine for any reason, all its content will be lost. I use whole-disk encryption for the laptop with which I travel1.

Container encryption might make sense if you’re looking at a single folder of data and you don’t need to synchronize with cloud storage. I used to use this exclusively, in the form of TrueCrypt, as it was a great way for me to copy containers from machine to machine. I no longer use this method.

Transparent individual file encryption is perfect for cloud storage, and even for more general-purpose encryption needs that don’t require the file synchronization aspects of tools like Dropbox or OneDrive. If the concept of mounting a drive to access your files, remembering to unmount it, and possibly running additional secure cleanup afterwards doesn’t seem daunting to you, this may be an option. As I mentioned above, I use this technique (using Cryptomater) for the majority of my OneDrive files.

Finally, since you indicated that your wife is using this in a professional capacity, be sure to check the requirements for her profession. As I understand it, in the U.S., for example, HIPPA may mandate some requirements.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & references

1: A Mac, but this functionality is available for PCs in the form of BitLocker.

1 thought on “How Should I Encrypt the Data on My Laptop?”

  1. I don’t usually encrypt the System drive as it adds other layers of complexity in remote access, backing up, imaging and logging on as my laptop is a domain member. What works for me is i partition the drive and create a “data” drive and encrypt the data drive. then i can boot as normal and login and manually unlock the encrypted drive if needed. another small advantage of this approach for me is when i leave the computer i run a batch file “manage-bde -lock -forcedismount D: ” and lock the Drive without needing to completely shut down.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.