You need the right tool for the job.
I’m not trying to be snarky, but that’s kind of like asking, “What’s your favorite hammer?”
The answer depends on the job. Sometimes I need a small, light hammer; sometimes I need a full-on industrial-strength nail-gun.
The same is true for encryption. It depends on what you’re attempting to accomplish.
Become a Patron of Ask Leo! and go ad-free!
I use and recommend:
- Bitlocker for whole-disk encryption.
- Cryptomator to encrypt sensitive data being stored in the cloud.
- Zip encryption to encrypt individual files or collections of files.
- ProtonMail for encrypted email.
I also keep VeraCrypt and GPG encryption tools available.
I use whole-disk encryption on my laptop and recommend it for any computer that travels. Whole-disk encryption ensures that if your device is stolen, its contents cannot be seen by the thief.
Granted, most laptop theft targets hardware with the intent of reselling it, but you can’t be too careful. Particularly if you regularly carry high-value, sensitive data — which could be personal, business, or even governmental — then securing your device this way is almost a requirement.
I use Bitlocker whole-disk encryption. While forms of it have made their way into Windows Home editions, I prefer to have Windows Pro edition for maximum control. VeraCrypt is another platform-independent alternative.
Encryption for the cloud
I’m a proponent of cloud storage. Services like Dropbox, OneDrive, and others provide convenient and accessible online storage. They can be used as part of a robust backup plan, and are an easy way to maintain data across multiple machines and share data with others.
When you use these services, you’re putting your data in the cloud, online, on “someone else’s computer”, as some like to say. It’s possible others could see your data. This could range from rogue employees of the service to court-ordered access or your account being hacked.
Encryption under your own control is the answer.
I use Cryptomator to encrypt sensitive information I place in Dropbox. This means that the unencrypted data is never actually copied to the cloud. Only securely encrypted data is uploaded. Mounting Cryptomator with my master password,1 I can access the encrypted files normally.
If I just want to encrypt a file or folder, I use 7-Zip with the password option. Depending on my intent, I may use 7-Zip’s native “.7z” format, which has slightly more effective compression, or the traditional “.zip” format, which is supported natively on almost all platforms without requiring 7-Zip itself.
Password protection in zip files has a sordid history. In the past, to put it bluntly, the encryption just wasn’t all that good. Those days are past, and zip file encryption in current tools is robust.
The only catch with zip file encryption is that file names are not encrypted. That means someone could see the list of files even though they could not see the contents of those files. A quick solution is to zip the zip file again. In this case, it’s really only the outer zip that needs a password.
Email encryption remains a mess. There are standards — plural — and none of them are accessible in a way that makes it easy for the average user to send or receive encrypted email consistently.
When I feel the need to send an encrypted message, I’ll do one of three things.
- Write my message as a separate document, encrypt it using 7-Zip, and send it as an attachment. I’ll share the password with the recipient some other way.
- Use ProtonMail. There are two approaches:
- Email sent to another ProtonMail user/account is transparently encrypted within the app. I need do nothing more.
- Encrypted email sent to a non-ProtonMail user results in a link to a webpage on the ProtonMail website to read the message. They need to provide a password, which, once again, I share with them some other way.
- There’s a third option if my non-ProtonMail recipient can deal with GPG/PGP encryption, but using this is rare.
Encryption tools on deck
In addition to those I use regularly listed above, I keep a couple of additional tools ready and available in case they would solve a problem.
I have a GPG/PGP2 public/private key pair in case I want to use public-key encryption. Public key encryption is the geekiest and (generally accepted as) most secure encryption currently in use. It’s the backbone of the internet. It’s also not simple to set up and use. I used to encrypt my backups using GPG, but in the interest of disaster planning, I switched to the more conceptually simple Zip encryption.
I also have VeraCrypt on deck for platform-independent whole-disk encryption or portable vaults. This could be a great way to share a lot of data with someone, particularly across platforms, in a single encrypted container without the overhead of having to unzip and re-zip a zip file.
Use the right tool for the job. Data security and privacy are important, and there are many different solutions designed for many different scenarios. The good news is that all those tools — from the equivalents of light hammers to industrial-strength nail-guns — provide easy and secure access when used properly.
Want another good source of information? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.