Encryption, done properly, is the answer.
I know how you feel. I also have sensitive information on my laptop that I would prefer not to fall into the wrong hands.
I can handle losing the laptop, but thinking about the data in the wrong hands … well … that would be bad.
I’ve used different solutions over the years, and they all share one thing in common: encryption.
Become a Patron of Ask Leo! and go ad-free!
Encrypting data stored on your machine is important, and can be done in several ways: manual individual file encryption, such as Zip; whole-disk encryption, such as BitLocker; encrypted vaults, managed by tools like VeraCrypt; or automatic individual file encryption using BoxCryptor. Regardless of the tool, make sure you understand whether any unencrypted data is left around, and take care to never lose your encryption passphrase or recovery key.
Encrypting individual files
Encryption involves using archiving tools that allow you to assign the encrypted file a password.
A common approach is to use “zip” files and tools like 7-Zip. Zip files support password protection, encrypting the file’s contents.1 Originally, zip encryption was easily cracked, but it’s improved to be pretty good.
The problem with individual file encryption is that you must manually decrypt the file to use it. This also means you need to re-encrypt it when you’re done, and erase all traces of the work you did — such as temporary files — that might be left unencrypted.
Individual file encryption is appropriate for some things, but for frequent use, it’s typically too cumbersome.
Encryption of individual files offered by specific applications — such as password protection in Microsoft Office documents — can be good. Unfortunately, it can also be bad. Older versions of Office, for example, were quite poor at encryption. Current versions are better. If you go this route, you’re at the mercy of the individual application vendors’ expertise. I prefer dedicated encryption tools.
Encrypting the entire hard disk
Whole-drive encryption is the other extreme. It protects the contents of your entire system.
System-provided solutions, like BitLocker in Windows, use encryption keys based on your system login to encrypt the hard drive. If you can’t log in, you can’t access your data; it’s simple as that. It also protects your data should your hard disk be removed and attached to another computer.
If you lose your log-in account for any reason, you can lose access to your data permanently. BitLocker encourages you to back up the encryption key separately when you first encrypt your drive. If you use BitLocker, I strongly recommend you do so.
Third-party tools like VeraCrypt also support whole-drive encryption. This is independent of your system login and uses a secure passphrase to decrypt the drive and boot your system.
Important: your data is only secure if you log out or shut down. As long as you are logged in and able to access your data yourself, it’s available in unencrypted form. Avoid states like Sleep or Hibernate, neither of which is an actual logout.
I now use whole-disk encryption on my laptop, making sure to log out and shut down completely when appropriate.
VeraCrypt is free, open-source, on-the-fly encryption software. It provides industrial-strength encryption while still being fairly easy to use.
The two most common ways it’s used are:
- To encrypt an entire disk volume, such as a USB thumb drive, single partition, or entire hard disk, as described above.
- To create an encrypted virtual disk “volume” or container.
It’s the latter approach I use, as it makes it easy to copy entire containers from machine to machine.
An encrypted virtual disk is a file that VeraCrypt “mounts” as an additional drive letter on your machine. You specify the passphrase when it’s mounted, and the unencrypted contents of the container appear as another drive.
For example, you might create an encrypted volume in a file c:\windowssecritstuf. If someone were to look at its contents, they would see only random gibberish — the result of encryption. When mounted by VeraCrypt, it appears as another drive, perhaps “P:”. Drive P: looks and operates like any other disk and contains the unencrypted contents of the encrypted drive. Encryption is as simple as moving or copying a file to the drive.
The trick for security is to never mount the drive automatically. When your machine boots up, “P:”, for example, would be nowhere to be found. The file c:\windowssecritstuf would be present, but only visible as encrypted gibberish. If someone stole your machine, that’s all they would find.
Only after you’ve used VeraCrypt to select the file (c:\windowssecritstuf), chosen to mount it as (P:), and supplied the correct passphrase would the virtual drive be mounted and the encrypted data accessible.
Encryption for the cloud
You can think of BoxCryptor as a kind of hybrid combination of VeraCrypt’s vault with individual file encryption. (BoxCryptor: Secure Your Data in the Cloud has a more detailed comparison.)
Instead of a file, you point BoxCryptor at a folder — generally a folder in one of the online cloud storage services, like OneDrive — and it mounts that folder as a virtual drive. The data in the actual OneDrive folder is encrypted, and the virtual drive gives transparent access to the encrypted data, much like a VeraCrypt volume. Unlike VeraCrypt, the files are encrypted individually. When a file changes, only that file needs to be updated with the cloud provider.
While BoxCryptor is designed specifically to keep your cloud data secure, there’s nothing that says you can’t use it for other purposes. You can point it at any folder on your computer and have BoxCryptor manage encrypting the contents.
Particularly if you’re already using BoxCryptor for your cloud data, you won’t have to install any other software to encrypt local data.
Encryption and security caveats
Most of these approaches are relatively straightforward. The trade-off is complexity in setup versus complexity to use.
But there are additional items to keep in mind whenever you secure your system in this way.
- Passphrases are the weakest link. Encryption does not make a bad passphrase any more secure. If you choose an obvious passphrase, a dictionary attack can certainly be used to unlock your encrypted volume or decrypt your encrypted file.
- Encrypted volumes and encrypted files do you no good if the files you care about are elsewhere on your machine in some unencrypted form. This is one of the benefits of whole-disk encryption — it’s all encrypted, no matter what.
- You must back up. I recommend keeping the backups unencrypted but secure in some other way, in case you lose your computer, encrypted disk or files, or forget your password. Without the password, encrypted data is not recoverable.
Encryption is an important part of your security strategy. Keeping sensitive data secure requires forethought and planning. With viruses and spyware running amok, not to mention theft, there’s no excuse not to take time now to save grief later, should the unthinkable happen.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: The data is encrypted, but the file names remain visible. To obfuscate those, zip the zip file with a password. In this case, the “inside” zip file need not have a password.