Sometimes encrypting a single file isn’t enough. Sometimes you want to encrypt all the files in a folder, and often the sub-folders as well.
As you might imagine, there are several different solutions, depending on your particular needs.
I’ll review some of the alternatives, as well as their pros and cons.
Using Windows to encrypt files and folders
If you’re running Windows Professional Edition or better1, and your disk is formatted using NTFS (most Windows hard disks are these days), then Windows can encrypt your files and/or folders for you using EFS, or the Encrypting File System.
The technique is very simple. Right-click on the file or folder you want to encrypt – my example here is a folder called “Sensitive Documents” – and click on Properties.
In the resulting dialog, on the General tab, click on Advanced.
In the resulting “Advanced Attributes” dialog, make sure that “Encrypt contents to secure data” is checked.
Click OK. You may be asked whether you want the single item encrypted, or more. In the case of folders, the second option is to encrypt the folder and everything within it. In the case of encrypting a file, the second option is to also encrypt the folder containing the file. The choice is yours, depending on what you’re attempting to do. (In general, I find encrypting a folder and everything within it the most straightforward choice.)
The good news: It’s simple, easy, and almost completely transparent to encrypt a folder. Your folder, and all the files it contains, are encrypted. As long as you’re not logged in, anyone who steals or otherwise gains access to your computer, or even just your hard drive, cannot gain access.
The bad news: Anyone (including malware) who has access to your computer while you’re logged in can access your files, bypassing the encryption. In fact, anyone who can log in by virtue of knowing or cracking your log-in password can, as well; your log-in password is, perhaps, the weakest link. The files are encrypted on your hard drive, and there’s no way to share the encrypted files with others.
VeraCrypt is a successor to the once very popular TrueCrypt. It has a couple of different approaches to high-quality encryption, one of which we can use to encrypt a folder – or at least something very similar.
You can use VeraCrypt to create an encrypted container secured with a passphrase. This is a single encrypted file kept on your computer’s hard drive. You then “mount” that file using VeraCrypt, supplying the passphrase to decrypt it. Once mounted, the unencrypted contents of that file appear as a separate drive – often called a virtual drive – on your system. Reading data from and writing data to that virtual drive transparently decrypts and encrypts the data stored in the container file. Once the drive is unmounted, the data is once again inaccessible without re-mounting the container and knowing the passphrase.
The specific details are beyond the scope of this article, but as an example, you might create a container C:\Users\loginname\Documents\MySensitiveDocuments, and give it a nice, secure passphrase. When you mount MySensitiveDocments using VeraCrypt and that passphrase, you can then assign it a drive letter – I’ll use “S:” for this example. Now any program can read and write files and folders to drive “S:”; when doing so, the data is stored inside of the file MySensitiveDocuments in encrypted form. Once you unmount the container, drive S: disappears, and the data is no longer visible in unencrypted form.
Using VeraCrypt to manage an encrypted container in this way is very similar to having an encrypted folder.
The good news: VeraCrypt provides high-quality encryption, and is available on multiple platforms. Containers created by VeraCrypt are not tied to your login, but are secured by a passphrase. The containers can be copied from machine to machine and opened anywhere. Once mounted, encryption and decryption is transparent to any program reading and writing data on the virtual drive.
The bad news: Containers are monolithic, meaning that regardless of how many files they contain, they are still a single container file. The container size is specified when you create it, and cannot be resized. The only way to move encrypted data from one place to another is to copy the entire container.
BoxCryptor uses a model similar to VeraCrypt, but is designed to work optimally with online or “cloud” services. Rather than storing everything in a single container, BoxCryptor maintains individually encrypted files.
When you install and configure BoxCryptor, you point it at an empty folder on your machine which will contain your encrypted data, and specify a passphrase to use for encryption.
You then mount that folder using BoxCryptor and your chosen passphrase. Much like VeraCrypt, a virtual drive appears. Files and folders transparently written to and read from that virtual drive are encrypted and stored within the folder you originally specified. Once you unmount the folder, only the encrypted copies remain accessible.
The major difference between BoxCryptor and VeraCrypt is that BoxCryptor maintains the encrypted files and folders as individual files and folders rather than using a single, monolithic container. The article BoxCryptor – Secure Your Data in the Cloud goes into the differences in more detail.
The good news: BoxCryptor provides high-quality encryption and is available on multiple platforms. It’s highly suited to storing encrypted data on online storage services. Like VeraCrypt, your data is protected by a passphrase, and is not tied to your login. Once mounted, encryption and decryption is transparent to any program reading and writing data on the virtual drive. There are no size issues, other than the disk space you have available.
The bad news: You cannot easily copy individual files encrypted using BoxCryptor to other machines, though of course the entire encrypted folder is designed to be replicated to other machines and cloud storage providers.
It’s difficult to make a recommendation
Normally, I’d make a recommendation as to what technology might be best suited. Unfortunately, this really is a case where different tools solve the generic problem – how to encrypt a folder – in different ways that involve different trade-offs. You may need to evaluate those trade-offs differently.
What I can tell you is what I’ve settled on – and that’s BoxCryptor.
I don’t use operating-system encryption at the file or folder level. (I use whole disk encryption to secure my entire hard drive – more on that coming soon.) I use cloud storage heavily – both my own and that of popular services. BoxCryptor ensures that anything I consider even somewhat sensitive is stored securely encrypted, as it’s automatically replicated not only to online storage, but across my various computers as well.