PROTECT YOUR DATA
Encrypt files, folders, and even entire drives to keep your information secure.
Worried about the security and visibility of your data? Do you have sensitive files you want to keep away from potentially prying eyes? Worried that your cloud backup isn’t as secure as it might be? Concerned that the data on your laptop might be vulnerable to theft? Want to dispose of files – or an entire PC – without compromising the data (including previously deleted files) on it? You’ve come to the right place.
In this feature, we explore numerous options for protecting your data, both data stored on your PC and that backed up elsewhere, whether on local storage or in the cloud. We also reveal how to ensure all data you delete is shredded beyond recovery, too, enabling you to pass on a PC or drive to a new home without having to worry about the data previously stored on it.
When it comes to sensitive files, the solution lies in a process called encryption. File encryption works using cryptography to scramble the contents of files so they’re unreadable without the correct authentication – usually a password that is used to unlock an encryption key, which in turn decrypts the file so it’s readable. Some encryption can be further strengthened by the requirement of additional forms of authentication such as so-called key files or physical devices, like smart cards.
Encryption keys are created using special algorithms. Common examples include Advanced Encryption Standard (AES) and Twofish. The higher the bitrate, the more secure the key, so 256-bit is better than 128-bit, and 512-bit is better than 256-bit. Encryption is a resource-heavy process, particularly as bitrates increase, so be prepared to see protected files take longer to open or save. If you have a modern CPU, you’ll find AES is by far the quickest encryption standard, thanks to the implementation of hardware-accelerated AES encryption on supported processors.
Encryption can be performed on individual files or entire drives, and that’s where we begin our feature, with a comprehensive guide to scrambling the files on your PC. Turn the page to get started.
When it comes to encrypting individual files or entire drives, there are numerous options available. If you’re running the Pro, Enterprise, or Education version of Windows 10, you’ll find built-in options exist in the form of BitLocker and EFS – the box opposite reveals how BitLocker works and what you need to run it. EFS – Encrypting File System – enables you to individually encrypt files or folders using your Windows password as the encryption key. If the drive is stolen, the files are unreadable without your Windows account password.
To encrypt one or more files or folders, select them in File Explorer, right-click the selection, and choose Properties. Click Advanced, then tick the box next to Encrypt contents to secure data. Click OK then Apply – you’re prompted to encrypt the parent folder if applicable for greater security. Make your choice, then click OK.
EFS is a simple but relatively weak way to encrypt files. If you’re looking for something stronger, or don’t trust Microsoft with keeping your data secure, read on.
Simple, fast file encryption
If you only need to encrypt individual files on a semi-regular basis – or wish to encrypt files before sharing them with others – the open-source tool AES Crypt ( www.aescrypt.com) is all you need. Download and install the program, then going forward, simply right-click the file you wish to protect, and choose AES Encrypt. Enter a strong password – the more characters, the stronger the encryption – and click OK. An encrypted copy of the file with an .aes file extension is created, unreadable to anyone who doesn’t know the password.
If you want to share the file with others, send them the encrypted version, then communicate the password separately and securely. They need to install AES Crypt before double-clicking the file and entering the password required to extract the decrypted original.
It’s also possible to encrypt Office documents – but encryption is only effective in Word 2007 or later when first AES 128-bit, and more recently (from Office 2016) AES 256-bit, encryption is employed. To do so in Office 2007 or later, select the File tab and choose Info > Protect Document > Encrypt with Password.
If you want stronger encryption for individual files or folders, Gpg4win ( www.gpg4win.org) works in a similar fashion to AES Crypt, with the added bonus of allowing you to encrypt files using public keys protected by passphrases for additional security. After installation, launch the Kleopatra tool and choose File > New Key Pair, then select Create a personal OpenPGP key pair to get started. Once done, you can then encrypt files by right-clicking them in File Explorer and choosing Sign and encrypt to use your key (you can also encrypt files with a simple password, too, if you prefer).
A one-stop solution
AES Crypt and Gpg4win are perfect for occasional encryption, but you’ll need to re-encrypt your files each time you make changes to them. If you want a more comprehensive, flexible solution, VeraCrypt ( www.veracrypt.fr/en/) pretty much does it all. It can be used in a variety of ways to meet most people’s needs – like BitLocker, you can encrypt entire drives, including your Windows boot drive, but you can also restrict its use to a specific set of sensitive files using a smaller virtual encrypted container, which resides as a file on your hard drive.
The app is available for Windows, Mac, and Linux, so you can use it across all your computers. There’s a portable version available, too, which can do everything except encrypt your boot drive. After downloading and installing (or extracting to your portable apps folder), launch the program – Veracrypt-x64.exe if you’re running the portable version – and you will find yourself at the main VeraCrypt window.
Create a virtual drive
The VeraCrypt Volume Creation Wizard now opens, with Create an encrypted file container selected by default. This is the safest option, because it merely creates a single file on an existing hard drive, inside which all your sensitive data will be stored for you. There’s no risk to any other files or drives. To proceed, click Next.
Two types of volume can be created – to simply protect the data if the drive it’s on is lost or stolen, leave Standard TrueCrypt volume selected, and click Next again.
Skip to the next section. You’ll also see an option to create a hidden volume, with an explanation about why you might want one. Hidden volumes are created inside standard TrueCrypt volumes, hiding themselves in their free space.
First-time users should select Hidden TrueCrypt volume then Normal mode to create a standard TrueCrypt volume inside which your hidden volume will be created. If you’ve already created a standard volume, you can choose Direct mode instead when prompted, and follow the prompts to set it up inside your standard TrueCrypt volume. In either event, the wizard follows a similar process to that for standard volumes, as described below.
One tip if you plan to create a hidden volume: Be sure to save selected files to the standard volume. An empty standard volume would arouse suspicion among those you’re trying to hide your data from.
Set up a standard volume
Click the Select File… button, browse to your USB thumb drive, then type a new file name into the File name box. Avoid using a file extension – this can be problematic – and click Save. Click Next to choose your encryption options for the volume. Five encryption algorithms are supported: AES, Serpent, Twofish, Camellia, and Kuznyechik – select one at
a time for a description. Beneath these are no fewer than ten combinations of two or more algorithms for those who want multiple layers of encryption. The truly paranoid can click the Test button next to an option to verify VeraCrypt’s implementation of the selected algorithm is compliant with certain standards.
Click the Benchmark button to open the Algorithms Benchmark window, then click Benchmark to compare the performance of each encryption algorithm. The process of encrypting and decrypting data will have an impact on disk write/read speeds, and you can compare the different algorithms (single and combined) from here. Straight AES encryption is recommended for most people, or AES combined with Twofish if you want a second layer.
Beneath the encryption algorithm, you’ll see a section on hash algorithms, complete with a handy link explaining how they work. These are basically used to generate the encryption keys and salt (random data used to protect your password from hackers). Five hash algorithms are currently supported, but for most people, the default SHA-512 is fine – you might choose SHA-256 if performance is more important than security.
“An encrypted file container is the safest option, because it creates a single file on an existing hard drive”
Extra authentication
Once you’ve chosen your options, click Next. You’re now prompted to set a size for your file container. Choose a figure based on how much data you need to encrypt and how much free space is available. Click Next to enter a password – you’ll need this to access your files in future, so make sure it’s memorable (or stored somewhere secure, like a selfhosted Bitwarden password manager), but also tough to crack. Try to make it at least 20 characters in length.
Gain additional protection by ticking Use keyfiles and clicking the Keyfiles button. This adds another layer of protection: Not only do you have to enter your password correctly, but you also need to select whichever file (or files) you choose to be linked to your container. These files can be already present on your hard drive – choose a compressed format such as MP3 or Zip – or you can have VeraCrypt generate a new random key file from scratch. Either way, make sure the files are backed up somewhere safe, because if they’re deleted or the first 1,024KB of data is changed, your vault will be impossible to access.
Checking the Use PIM box creates an additional step after clicking Next, where you can set a custom Personal Iterations Multiplier. The default setting (485) prioritises security over speed when mounting the volume after each system
boot – should you wish to reduce the time taken, you can set a lower value, but make sure you’ve set a lengthy password.
Format and mount
After clicking Next, you’re asked if you plan to store files larger than 4GB in your new virtual drive – this determines which filesystem is set as the default in the next step (exFAT if yes, FAT if no). Click Next and you’re ready to configure and format your volume. You can change the filesystem here – NTFS and ReFS are also available – plus choose whether to perform a quick format (not recommended). Checking Dynamic means the file containing your encrypted volume isn’t formatted as its actual size, but instead increases in size as you add content to it – this comes with several warnings, not least of which are severely degraded performance and reduced security.
You’ll see a prompt to move your mouse within the VeraCrypt window to improve the cryptographic strength of the volume’s encryption keys. When you’ve configured the drive and the Randomness Collected From Mouse Movements meter is full, click Format, and the encrypted volume is created. Wait until the confirmation dialog box appears, then click OK followed by Exit to return to the main VeraCrypt window, ready to access your encrypted container for the first time.
Select a free drive letter from the list and click the Select File button to choose your encrypted container. Click the Mount button and then enter the volume’s password before – if applicable – clicking the Keyfiles… button to select the required files that will give you access to your container when you click OK.
You’ll see a Mount Options… button; clicking this reveals options such as opening the volume in read-only fashion, or assigning it a specific drive label in Windows. If your volume contains a further hidden volume, be sure to tick Protect hidden volume against damage caused by writing to outer volume to safeguard its contents.
After clicking OK, wait while the volume is mounted – you should see your encrypted container appear in the main VeraCrypt window. It can now be accessed like any other drive – copy or save files directly into here to ensure they’re protected going forward. When you’ve finished with the drive, right-click its entry in the VeraCrypt window, and choose Dismount to lock it away from prying eyes.
Encrypt Windows
VeraCrypt can also be used to encrypt your entire Windows installation. All files remain encrypted on your disk even in use – they’re simply decrypted on demand to allow Windows and your apps to run normally without exposing the data to potential problems, such as sudden power loss.
This form of encryption is particularly suitable for those who carry sensitive information with them – typically on a laptop. Take a drive image backup before you begin, then launch VeraCrypt and
“This form of encryption is particularly suitable for those who carry sensitive information with them on a laptop.”
choose Create Volume > Encrypt the system partition or entire system drive. Again, standard and hidden options are available (click More information if you like the idea of hiding your OS from view – it’s a long, detailed subject, and involves creating a ‘decoy’ OS).
Assuming you simply want to encrypt the drive, leave Normal selected and click Next. You can opt to simply encrypt the Windows partition, or the entire drive (so all partitions on the primary hard drive). If in doubt, encrypt the system partition only – you may get a warning when attempting to encrypt the entire drive about losing access if it has a so-called ‘inappropriately designed’ BIOS.
The next step informs VeraCrypt whether you have a single-boot or multiboot system, and then it’s a similar process as for creating an encrypted virtual drive.
There’s just one caveat: you can only protect your system drive with a strong password; key files aren’t supported. You also need to create rescue media – don’t skip this step, because it’s required to both permanently decrypt your drive and provide protection against corruption.
Different media is required depending on whether your boot mode is EFI (USB flash drive) or MBR (CD/DVD) – just follow the prompts to create and verify the media. The recovery media is tied to your specific PC and the current password you’ve assigned to your boot drive. If you make any hardware changes, you need to recreate it.
You next see the Wipe Mode screen, which enables you to securely overwrite the unencrypted copies of your files after they’ve been encrypted – the more passes, the slower the process, so unless you have reason to be truly paranoid, none or just ‘1-pass’ should be sufficient.
Test and encrypt
You’re now ready for the drive to be encrypted – first, a pretest is run to verify everything works as it should do. Your PC reboots, and you’re prompted to enter the password you just set up. When prompted for the PIM, just press Enter unless you manually specified this value. Wait for the password to be verified – then Windows boots as normal.
If the test passes, click the Encrypt button and VeraCrypt starts to encrypt your drive’s contents (a Defer button is also present if you wish to back up data first – you’re then prompted again the next time Windows is restarted). Unlike with encrypting non-system volumes, you can carry on using your PC while the drive is encrypted. Once complete, your computer’s contents are protected against theft and other threats, ensuring any data stored on the drive is secure.
Encrypt entire drives
VeraCrypt can also be used to encrypt other drives and partitions, from internal data drives to USB thumb drives. As with all major operations, we strongly