Sometimes encrypting a single file isn’t enough. Sometimes you want to encrypt all the files in a folder, and often the sub-folders as well.
As you might imagine, there are several different solutions, depending on your particular needs.
I’ll review some of the alternatives, as well as their pros and cons.
Become a Patron of Ask Leo! and go ad-free!
Using Windows to encrypt files and folders
If you’re running Windows Professional Edition or better1, and your disk is formatted using NTFS (most Windows hard disks are these days), then Windows can encrypt your files and/or folders for you using EFS, or the Encrypting File System.
The technique is very simple. Right-click on the file or folder you want to encrypt – my example here is a folder called “Sensitive Documents” – and click on Properties.
In the resulting dialog, on the General tab, click on Advanced.
In the resulting “Advanced Attributes” dialog, make sure that “Encrypt contents to secure data” is checked.
Click OK. You may be asked whether you want the single item encrypted, or more. In the case of folders, the second option is to encrypt the folder and everything within it. In the case of encrypting a file, the second option is to also encrypt the folder containing the file. The choice is yours, depending on what you’re attempting to do. (In general, I find encrypting a folder and everything within it the most straightforward choice.)
The good news: It’s simple, easy, and almost completely transparent to encrypt a folder. Your folder, and all the files it contains, are encrypted. As long as you’re not logged in, anyone who steals or otherwise gains access to your computer, or even just your hard drive, cannot gain access.
The bad news: Anyone (including malware) who has access to your computer while you’re logged in can access your files, bypassing the encryption. In fact, anyone who can log in by virtue of knowing or cracking your log-in password can, as well; your log-in password is, perhaps, the weakest link. The files are encrypted on your hard drive, and there’s no way to share the encrypted files with others.
VeraCrypt
VeraCrypt is a successor to the once very popular TrueCrypt. It has a couple of different approaches to high-quality encryption, one of which we can use to encrypt a folder – or at least something very similar.
You can use VeraCrypt to create an encrypted container secured with a passphrase. This is a single encrypted file kept on your computer’s hard drive. You then “mount” that file using VeraCrypt, supplying the passphrase to decrypt it. Once mounted, the unencrypted contents of that file appear as a separate drive – often called a virtual drive – on your system. Reading data from and writing data to that virtual drive transparently decrypts and encrypts the data stored in the container file. Once the drive is unmounted, the data is once again inaccessible without re-mounting the container and knowing the passphrase.
The specific details are beyond the scope of this article, but as an example, you might create a container C:\Users\loginname\Documents\MySensitiveDocuments, and give it a nice, secure passphrase. When you mount MySensitiveDocments using VeraCrypt and that passphrase, you can then assign it a drive letter – I’ll use “S:” for this example. Now any program can read and write files and folders to drive “S:”; when doing so, the data is stored inside of the file MySensitiveDocuments in encrypted form. Once you unmount the container, drive S: disappears, and the data is no longer visible in unencrypted form.
Using VeraCrypt to manage an encrypted container in this way is very similar to having an encrypted folder.
The good news: VeraCrypt provides high-quality encryption, and is available on multiple platforms. Containers created by VeraCrypt are not tied to your login, but are secured by a passphrase. The containers can be copied from machine to machine and opened anywhere. Once mounted, encryption and decryption is transparent to any program reading and writing data on the virtual drive.
The bad news: Containers are monolithic, meaning that regardless of how many files they contain, they are still a single container file. The container size is specified when you create it, and cannot be resized. The only way to move encrypted data from one place to another is to copy the entire container.
BoxCryptor
BoxCryptor uses a model similar to VeraCrypt, but is designed to work optimally with online or “cloud” services. Rather than storing everything in a single container, BoxCryptor maintains individually encrypted files.
When you install and configure BoxCryptor, you point it at an empty folder on your machine which will contain your encrypted data, and specify a passphrase to use for encryption.
You then mount that folder using BoxCryptor and your chosen passphrase. Much like VeraCrypt, a virtual drive appears. Files and folders transparently written to and read from that virtual drive are encrypted and stored within the folder you originally specified. Once you unmount the folder, only the encrypted copies remain accessible.
The major difference between BoxCryptor and VeraCrypt is that BoxCryptor maintains the encrypted files and folders as individual files and folders rather than using a single, monolithic container. The article BoxCryptor – Secure Your Data in the Cloud goes into the differences in more detail.
The good news: BoxCryptor provides high-quality encryption and is available on multiple platforms. It’s highly suited to storing encrypted data on online storage services. Like VeraCrypt, your data is protected by a passphrase, and is not tied to your login. Once mounted, encryption and decryption is transparent to any program reading and writing data on the virtual drive. There are no size issues, other than the disk space you have available.
The bad news: You cannot easily copy individual files encrypted using BoxCryptor to other machines, though of course the entire encrypted folder is designed to be replicated to other machines and cloud storage providers.
It’s difficult to make a recommendation
Normally, I’d make a recommendation as to what technology might be best suited. Unfortunately, this really is a case where different tools solve the generic problem – how to encrypt a folder – in different ways that involve different trade-offs. You may need to evaluate those trade-offs differently.
What I can tell you is what I’ve settled on – and that’s BoxCryptor.
I don’t use operating-system encryption at the file or folder level. (I use whole disk encryption to secure my entire hard drive – more on that coming soon.) I use cloud storage heavily – both my own and that of popular services. BoxCryptor ensures that anything I consider even somewhat sensitive is stored securely encrypted, as it’s automatically replicated not only to online storage, but across my various computers as well.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
More for Patrons of Ask Leo!
Silver-level patrons have access to this related video from The Ask Leo! Video Library.
I use AxCrypt, and believe it’s preferable to these mentioned here, because it encrypts either individual files or everything within a folder without peculiar restrictions or quirks. Encrypted files or folders can be copied to other machines and used, with the usual copy commands, without any restrictions.
http://www.axantum.com/AxCrypt/
AxCrypt used to come bundled with extra software – OpenCandy – that most antivirus programs tagged as a PUP/PUA (which is somewhat ironic given that it’s a security app).
https://www.axantum.com/AxCrypt/Freeware.html
I have no idea what, if anything, it’s bundled with now – OpenCandy was shut down last year – but it’s certainly not an app I’d recommend.
Hello Leo,
Your previous article about encryption and now this one has only served to confirm my purchase of Veracrypt. Regarding one or a small number of files to encrypt, the container can be quite small to not waste space.
I use Veracrypt now in a number of ways, utilising the basic idea of the container, mounting and dismounting is very easy, at first I found it daunting, now do it with my eyes shut.
I have an encrypted file (container) on Dropbox, within which I have various files, it is very simple to achieve.
I use it on my laptop in 2 different ways to ensure all critical files are secure.
Thank you for your advice, it has proven to be very very valuable.
Regards,
David Evans
“Your previous article about encryption and now this one has only served to confirm my purchase of Veracrypt.” – Purchase? I could be mistaken, but I don’t believe that there is a paid version – it’s free and open source – and so you should not have needed to purchase it.
In regard to VeraCrypt: “The container size is specified when you create it, and cannot be resized.”
I’m not an expert on VeraCrypt, but don’t believe that is correct. Although VeraCrypt containers can’t be reduced, my understanding is that they can be enlarged.
Yet another way to encrypt files is to Zip them. All good Zip programs today — freeware included — makes secure AES encryption available. An added benefit is that all Zip programs (unless explicitly told not to) will compress your files before encrypting them, thereby greatly enhancing the encryption.
An even greater benefit is that Zip programs are both ubiquitous, and multiplatform. The file I compress & encrypyt with WinZip on our desktop computer running 64-bit Windows 7, decrypts abd decompresses perfectly using the program “B1 Free Archiver” on my Amazon Kindle Fire HD8, running a modified Android operating system… and vice-versa!
My ONLY reservation is a completely personal one: the use of AES gives me grave misgivings. Its ubiquitouness makes me nervous because every hacker and his uncle will be out to break it, and God help us if they succeed because then practically the whole (AES-using) world will be at their feet.
My own personal preference is for Twofish. It came a close second in the very same contest which gave us AES, but it is very much less commonly used — and is thus (think I) a far less likely target.