Sending an encrypted document as an attachment is a pretty reasonable approach to sending information securely in what is otherwise an unsecure medium – email. Even though there are approaches to encrypting email, they’re either obscure or complex, and not as ubiquitous as we’d like.
Encrypting individual files can also be an important step to your own secure data management.
I’ll look at two approaches to encrypting a single file which can be sent securely in email, yet typically, decrypted easily by just about anyone.
I’ll also take special care to call out the weakest link most likely to allow your encryption to be cracked. It may not be what you think.
After installing AxCrypt and creating an AxCrypt account, a new context menu is added to Windows Explorer. Right-click on any file in Windows Explorer, and you’ll see this:
The most relevant action is Encrypt, which encrypts the selected document, removing the original and replacing it with the encrypted version as a “.axx” file.
While previous 1.x versions of AxCrypt would allow you to specify a simple passphrase as the encryption key, the current version uses an encryption key based on your AxCrypt log-in account. This makes encryption and decryption nearly transparent, as there’s no prompt – the action just happens as long as you’re logged in to that AxCrypt account.
Important: do not lose your AxCrypt account password. If you have to reset it, you will lose access to all files previously encrypted using your account. There is no recovery back door.
The free version of AxCrypt is a nearly perfect solution when you’re simply encrypting files for yourself. Logging into your AxCrypt account is enough to make encrypting and decrypting files easy across all your Windows machines. (Additional platforms besides Windows are promised, but not yet available at this writing.)
Sharing encrypted files
Back to our original question. AxCrypt 2.0 free works well when you’re the only one needing access to your files.
If you need to share your encrypted files, there are two quick approaches:
- AxCrypt 2.0 Premium (which is not free) allows you to give specific other AxCrypt users the ability to decrypt the files you encrypt.
- Use a different, albeit it slightly more cumbersome, tool.
Since AxCrypt is also currently Windows-only, it’s that second approach you’ll need if your recipients are not running Windows.
7-Zip and Zip files in general
The Zip format, formally referred to as an “archive”, is primarily intended to let you bundle multiple files together into a single file that is compressed to save space. You can password protect the result, which encrypts the contents.
There’s nothing at all that says you must include several files. As a result, .zip is also a fine format for encrypting single files.
I’ll use 7-Zip for my example, but the .zip file format is ubiquitous, and zipping tools are available on almost every platform, including Windows, Mac, and Linux. A file encrypted on one should be decryptable on any other.
Open 7-Zip and navigate to the folder containing the file you wish to encrypt. Right-click on the file, select 7-Zip, and then Add to archive.
The other quick options, like “Compress to ‘<filename>.zip’ and email” look convenient, but they don’t encrypt – thus our use of the “Add to archive…” option.
In the resulting dialog, there are a few settings we want to pay attention to.
- Set the archive format to “zip”. This ensures that 7-zip, specifically, is not required to extract the file. Anyone with a Zip program (and the password) can open it.
- Enter a password – more ideally, a passphrase – to secure the file.
- Select the encryption method: ZipCrypto, the default, is the most compatible across different unzipping programs; AES-256 is somewhat more secure. I’d generally recommend AES-256, unless your recipient tells you that they are unable to decrypt it.
Click OK and 7-Zip will create your .zip file.
In this example, I encrypted the Windows 10 Anniversary Upgrade utility file, Windows10Upgrade28084.exe into Windows10Upgrade28084.zip. Note that unlike AxCrypt, Zip utilities leave the original alone. You may want to delete that if you don’t want an unencrypted copy of your file to remain.
You can now send that file to others, and they can use their zipping program to extract the contents of the file. (Be sure to share the passphrase separately – ideally via a method other than email in this case.)
Using 7-Zip in a command line operation
I’ll be honest and say that I’m not a big fan of the graphical interfaces of most zipping utilities. They’re too confusing and cumbersome to me.
Here’s what I really do to zip a file: in a Windows Command Prompt, I type:
7z a -tzip -p example.zip example.doc
- 7z: Is the 7-zip command line program.
- a: Means that we are adding a file to an archive.
- -tzip: Indicates that the type of the archive to create is a zip file.
- -p: Causes 7-zip to prompt for a password to be used to encrypt the file.
- example.zip: Is the zip file we are creating (or, if it exists, the zip file we are adding to).
- example.doc: Is the file we are adding to the zip file.
To decompress and decrypt the zip file back into its original file or files, the command would be:
7z x example.zip
Where the “x” command simply stands for extract.
One Zip drawback
One of the characteristics of the zip file format is that even if it’s encrypted, the list of filenames it contains remains visible in unencrypted form. The net effect is that in our example, someone without the password may not be able to see the contents our file, but they can still see its name.
The traditional solution to this is to rename the file to something obscure before zipping, or to zip twice. Zipping twice has the added benefit of preserving the original filename for the intended recipient.
- Zip the file once, without a password, into a single .zip file with an appropriately obscure name, like “zippedfiles.zip”.
- Now, zip that file again into another .zip file, this time specifying an encryption password.
The net effect of this approach is that both the contents of the files, as well as the names of the files contained within the original zip, are protected.
You are the weakest link
There’s often a lot of discussion around what encryption technology is the “best” and least susceptible to cracking. That’s an important discussion, and in my opinion, the scenarios above are sufficiently secure for all but the most demanding applications. (Depending on your needs, you can delve deeper into different algorithms used in most zipping programs, or dive into public key encryption with PGP/GPG.)
However, hackers rarely gain access to encrypted files by cracking the algorithm.
Instead, they simply hack the password.
Picking a weak password makes that kind of discovery easy.
Unlike hacking passwords online, in this case an attacker can spend as much time with your encrypted file as he or she would like to. In fact, they can throw as much computational power at it as they might want to simply perform a brute force attack – trying every possible password.
An eight-character password is nothing to an offline brute force attack these days.
That’s why most of these programs don’t use the word “password,” but instead default to “passphrase”.
Rather than using a short eight-character password, instead use a longer phrase consisting of four or five words that total at least 20 characters or more. No matter how you do the math, this is virtually uncrackable using current brute force techniques.