You need the right tool for the job.
I’m not trying to be snarky, but that’s kind of like asking, “What’s your favorite hammer?”
The answer depends on the job. Sometimes I need a small, light hammer; sometimes I need a full-on industrial-strength nail-gun.
The same is true for encryption. It depends on what you’re attempting to accomplish.
Encryption tools
I use and recommend:
- Bitlocker for whole-disk encryption.
- Cryptomator to encrypt sensitive data being stored in the cloud.
- Zip encryption to encrypt individual files or collections of files.
- ProtonMail for encrypted email.
I also keep VeraCrypt and GPG encryption tools available.
Whole-disk encryption
I use whole-disk encryption on my laptop and recommend it for any computer that travels. Whole-disk encryption ensures that if your device is stolen, its contents cannot be seen by the thief.
Granted, most laptop theft targets hardware with the intent of reselling it, but you can’t be too careful. Particularly if you regularly carry high-value, sensitive data — which could be personal, business, or even governmental — then securing your device this way is almost a requirement.
I use Bitlocker whole-disk encryption. While forms of it have made their way into Windows Home editions, I prefer to have Windows Pro edition for maximum control. VeraCrypt is another platform-independent alternative.
Encryption for the cloud
I’m a proponent of cloud storage. Services like Dropbox, OneDrive, and others provide convenient and accessible online storage. They can be used as part of a robust backup plan, and are an easy way to maintain data across multiple machines and share data with others.
However.
When you use these services, you’re putting your data in the cloud, online, on “someone else’s computer”, as some like to say. It’s possible others could see your data. This could range from rogue employees of the service to court-ordered access or your account being hacked.
Encryption under your own control is the answer.
I use Cryptomator to encrypt sensitive information I place in Dropbox. This means that the unencrypted data is never actually copied to the cloud. Only securely encrypted data is uploaded. Mounting Cryptomator with my master password,1 I can access the encrypted files normally.
Encrypted files
If I just want to encrypt a file or folder, I use 7-Zip with the password option. Depending on my intent, I may use 7-Zip’s native “.7z” format, which has slightly more effective compression, or the traditional “.zip” format, which is supported natively on almost all platforms without requiring 7-Zip itself.
Password protection in zip files has a sordid history. In the past, to put it bluntly, the encryption just wasn’t all that good. Those days are past, and zip file encryption in current tools is robust.
The only catch with zip file encryption is that file names are not encrypted. That means someone could see the list of files even though they could not see the contents of those files. A quick solution is to zip the zip file again. In this case, it’s really only the outer zip that needs a password.
Encrypted email
Email encryption remains a mess. There are standards — plural — and none of them are accessible in a way that makes it easy for the average user to send or receive encrypted email consistently.
When I feel the need to send an encrypted message, I’ll do one of three things.
- Write my message as a separate document, encrypt it using 7-Zip, and send it as an attachment. I’ll share the password with the recipient some other way.
- Use ProtonMail. There are two approaches:
- Email sent to another ProtonMail user/account is transparently encrypted within the app. I need do nothing more.
- Encrypted email sent to a non-ProtonMail user results in a link to a webpage on the ProtonMail website to read the message. They need to provide a password, which, once again, I share with them some other way.
- There’s a third option if my non-ProtonMail recipient can deal with GPG/PGP encryption, but using this is rare.
Encryption tools on deck
In addition to those I use regularly listed above, I keep a couple of additional tools ready and available in case they would solve a problem.
I have a GPG/PGP2 public/private key pair in case I want to use public-key encryption. Public key encryption is the geekiest and (generally accepted as) most secure encryption currently in use. It’s the backbone of the internet. It’s also not simple to set up and use. I used to encrypt my backups using GPG, but in the interest of disaster planning, I switched to the more conceptually simple Zip encryption.
I also have VeraCrypt on deck for platform-independent whole-disk encryption or portable vaults. This could be a great way to share a lot of data with someone, particularly across platforms, in a single encrypted container without the overhead of having to unzip and re-zip a zip file.
Do this
Use the right tool for the job. Data security and privacy are important, and there are many different solutions designed for many different scenarios. The good news is that all those tools — from the equivalents of light hammers to industrial-strength nail-guns — provide easy and secure access when used properly.
Want another good source of information? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Or, more correctly, passphrase.
2: Gnu Privacy Guard, which is the open source equivalent to Pretty Good Privacy.
Leo, you wrote:
“…Sometimes I need a small, light hammer; sometimes I need a full-on industrial-strength nail-gun.”
I know this is nit-picking, but you are comparing hammers here… and a nail gun is not a hammer.
The correct comparison would be between something like an egg-cracker — something you might use to tap a thumbtack into place — and a full-on sledgehammer. (Or maybe even a piledriver.)
Weird as it may sound, nitpicks like this really do irritate, so p!ease humor me. Thanks.
A nail gun drives in a nail in one pull of the trigger. I’d say it’s comparable to a hammer.
Consider yourself humored, but I’m sticking with the comparison. A hammer and a nail gun are both used with nails, differing in approach.
For encryption, I use VSEncryptor. I went out of my way to seek a program that encrypts using Twofish rather than AES.
Twofish came in (I think) second (or was it third?) in the AES competition, so it’s a perfectly good cipher.
It’s main claim is its obscurity: Unlike AES, which every hacker and his Uncle are looking to compromise — and God help us all if they do, because the world would be brought to its knees — Twofish is rately used and equally rarely targetted.
I just feel better that way.
Instead of Bitlocker I use Veracrypt for whole-disk encryption because I’m using Windows 10 Home..
I use Cryptomator to encrypt sensitive data being stored in the cloud.
I use Zip encryption occasionally, and sometimes to encrypt email attachments.
I use Kleopatra to manage GPG encrypted attachments to exchange encrypted email with the few people who understand GPG.
I’ve found an app I prefer to GPG & Kleopatra: PGP TOOL. It’s much easier to use.
I tried to go to their website to verify that I got the link correct and I got an error saying:
“509
Bandwidth Limit Exceeded
The server is temporarily unable to service your request due to bandwidth limit has been reached for this site. Please try again later.”
That’s an error on PGP TOOLS website, so try again later.
Update: I still get the Bandwidth Exceeded limit error. I hope they get their site up again. In the mean time, I found it on GITHUB PGP Tool.
You can also check alternativeto.net for PGP alternatives if that one doesn’t get back online. That’s where I found PGP Tool the first time.
It appears Google is rolling out a user-friendly email encryption solution. It’s not yet available to the general public.
https://www.zdnet.com/article/google-is-expanding-this-next-level-encryption-to-more-gmail-users/
>The only catch with zip file encryption is that file names are not encrypted.
That’s incorrect. If it’s an image file, the zip program will show a thumbnail without the password. Not something you would want if they were “private” images.
I zip encrypted a file to try this out and no thumbnail was visible when I checked it out. Can you give an example screenshot?
My mistake. I quit using 7-Zip due to this issue years ago. I posted without double-checking that it was still the case. I just checked and it no longer appears to work that way.
Leo… you mentioned Bitlocker. Does that encrypt or does it only lock a drive and make the contents “invisible”?
Bitlocker encrypts the drive.
https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
You mentioned encryption for your laptop as a travelling device. I’ve started to encrypt my desktop to cater for a potential situation where the PC may need to be sent away for repair. To do this I’ve set up a Veracrypt volume which automatically mounts on system load and has a password supplied via Keepass.
Phil, sounds like you use Veracrypt to encrypt a group of data directories but not the system directories required to boot Windows & run programs?
Does Cryptomator have iOS & Android clients?
I keep almost all of my personal files on OneDrive & much I’d like to have them encrypted I don’t want this to get in the way of access from a phone or by family members.
Yes:
https://cryptomator.org/tags/ios/
I use BitLocker here on my desktop PC (Windows 11 Pro) and both of my laptops (one, Windows 11 Pro, the other Windows 10 Pro) the older of which will never meet Windows 11’s hardware requirements (the CPU is too old, although it has TPM2 and Secure Boot). Both laptops are configured to shut down when the lid is closed if it is not plugged in. This way, if any of my devices is/are stolen, the thief will be unable to see/access the contents of the drives, and the only way to make any of them usable will be to perform a fresh install of Windows from a USB stick (wiping everything on the computer).
Since I dual-boot Windows with Fedora Linux, I also have a boot-up password configured on all three PCs. This way, I have to sign in to boot the system at all (I wonder if that will keep thieves from re-installing Windows too? I haven’t considered that possibility before, I’ll have to do some research on that . . . maybe add a UEFI access password too?).
For those rare occasions when I want to digitally share the content of a file, if appropriate, I use 7-Zip with a password to secure it, and I give the password to the intended recipient some other way (usually a phone call).
Even though I’m a retiree, and I have no affiliation with any company, I consider security to be of the upmost importance for any computer user, be they a corporate, Government or private user (me). I keep my OSs and all installed apps as up to date as possible. I employ Cognitive Security (essentially, think/check before I click, and ALWAYS remain very skeptical about everything that comes from the internet). I also continually look for ways to make my PCs as secure as possible, both from external sources, and from theft. As I see it, the harder I can make it for the bad guys, the better!
My2Cents,
Ernie
I use Megasync for cloud backup. It offers end-to-end encryption and versioning, plus you can designate as many folders as you like to be synced dynamically.
For secure email, I use Tutanota. Unlike Protonmail, it encrypts the entire message, headers and all. They have apps for Apple, Android, Windows and Linux, with all being virtually identical in operation. In addition they feature end-to-end encrypted address book and calendar, offline storage and now conversation view. Like Protonmail, messages between Tutanota subscribers are automatically encrypted. Those to non-subscribers are encrypted and an email sent to the recipient with a link to decrypt using a password sent to the recipient by another path. The recipient can reply encrypted. Limited version is free or 1 euro/month for paid version with 1gb storage.