Shred data securely
When you delete a file, it’s not physically removed from your PC; instead, the first few bytes of the file are overwritten with a tag that tells Windows that the file is deleted and the space it currently resides in is available when writing other files to disk. It speeds things up, but it’s not good for security.
Until the file is physically overwritten by another file, its contents are still retrievable. What’s more, even if the file is overwritten, it might be possible to retrieve part or all of it using sophisticated file recovery techniques. So, how do you protect yourself against that kind of technology?
Thankfully, there are tools that can securely wipe data from your drive. One that’s free and open source is Eraser (grab the latest stable version, 5.8.8, from https:// eraser.heidi.ie/download). During installation, enable the Windows Explorer extension to allow you to securely shred any file by rightclicking it and choosing Eraser ≥ Erase. What about files you’ve previously deleted? Eraser can securely wipe all free space to make deleted files unrecoverable – right-click the drive in File Explorer, and click Erase ≥ Erasing Free Space.
Open the main Eraser program and you can set up on-demand and scheduled tasks to periodically shred specific files, folders, or free space. By default, Eraser wipes data using the Gutmann technique – if this is too slow, choose Edit ≥ Preferences ≥ Erasing to choose a different method, including one of two used by the US Department of Defense. recommend you first take a full image of your hard drive before starting the process – just in case. Once the drive is safely encrypted, you can safely delete this backup. However, if you plan to keep the backup, check out the box on thye following page about encrypting your backups.
The creation process is similar to setting up virtual drives. Start by selecting Encrypt a non-system partition/ drive on the first page of the wizard. Choose whether the volume will be a standard one or hidden, then click Next. Click Select Device… to choose your target drive or partition.
The next step is crucial – you have a choice between Create encrypted volume and format it (destructive, and best for empty drives or drives with no data worth keeping) and Encrypt partition in place. The latter is much slower but preserves existing data. If creating an encrypted volume from scratch, the process is virtually identical to creating virtual drives.
Once the drive has been encrypted, read any warning messages, then click Finish. To mount the drive, select the drive letter you wish to assign to it, then click Auto-mount Devices. Enter the credentials required, wait, and then the drive is mounted and available.
Ordinarily, you have to do this every time you restart Windows – to have the drive automatically mount when you log into Windows, right-click it in the main VeraCrypt window after mounting, and choose Add to Favorites. Be sure to check Mount selected volume upon logon before clicking OK. In the future, you will be prompted to provide the password and any key files each time you log into Windows, and then the drive will be available.
One problem with this approach occurs if you’ve moved system folders – such as user folders or those linked to cloud services – on to this encrypted storage space. You get errors about missing folders before you unlock the drive. If you’ve encrypted your Windows boot drive, you can get around this by ensuring the password on your data drive is the same as that required to unlock your Windows boot drive, then choose Add to System Favorites – this way, the drive is unlocked with your boot drive, and available when Windows loads.
Encrypt cloud backups
VeraCrypt can protect your files locally, but copy them anywhere else, and they’re left unprotected. The box opposite reveals what to do about protecting local backups using the same types of algorithms with suitable backup software, but what about those files you back up to the cloud? Cloud providers claim to encrypt your files, but sometimes that only applies to the way the files are transferred – when stored ‘at rest’ in the cloud, they may be left unencrypted, and therefore potentially vulnerable.
Even where encryption is provided, is it true end-to-end encryption, where only you possess the all-important encryption keys required to decrypt the files? Some cloud providers – SpiderOak ( https:// spideroak.com) and Tresorit ( https:// tresorit.com), for example – adopt this ‘no knowledge’ policy, but others don’t.
You don’t need to switch cloud provider to get this kind of protection; instead, add your own layer of encryption to critical files, with keys not shared with anyone else. An open-source encryption tool designed for cloud-based storage is Cryptomator ( https://cryptomator.org), which works with any cloud provider from OneDrive to Dropbox. The principle is identical to VeraCrypt: You create a password-protected virtual drive – or
vault – inside which your sensitive files are stored. The key difference is that Cryptomator encrypts files and folders individually, rather than as part of a larger file, so changes are smaller and quicker to upload and download.
Create a container
To start, go to www.cryptomator.org/ downloads and click Download 64 Bit. Once saved to your hard drive, doubleclick the setup file, and follow the install prompts, making sure you install the Dokan File System Driver when asked. Reboot if prompted.
Open Cryptomator via the Search box or Start menu, then enable the integrated update check when prompted to ensure Cryptomator stays up to date. Click the ‘+’ button and choose Create New Vault. Navigate to your cloud folder, give your vault a suitable name (this will be the name of the folder containing your encrypted files on the drive, so don’t make it too obvious), and click Save.
You’re prompted to create a password to protect the vault and access it from other computers or mobile devices. We recommend generating a long random one using your password manager (store the password as a secure note). Once entered and safely recorded, click Create Vault.
Click More Options to save the password and automatically mount the drive at startup (only recommended on a secure PC). You can also change the drive name and choose a drive letter. Then enter your password and click Unlock Vault.
A new Explorer window eventually opens, pointing to your new virtual drive (it’s also accessible via This PC under Network locations) – simply copy or save files in here, and they’re encrypted securely before being uploaded to the cloud.
When done, you can leave the drive unlocked until you shut down your PC or – if security is an issue – open the main window and click Lock Vault to close it down (enter your password and click Unlock Vault to bring it back later if you need to).
You can access your cloud-hosted vault from other computers by installing Cryptomator on there and choosing Open existing vault. There are even paid-for apps for Android or Apple phones if you need to upload sensitive files while on the road.
Shortcomings
Our main gripe with Cryptomator is that its presence can’t be hidden – and, in fact, is blindingly obvious to any hacker combing through your folders. That’s because its master key is visible inside the folder containing your encrypted data (even the name – masterkey.cryptomator – isn’t subtle). This highlights the need to keep an independent backup of any data stored in a Cryptomator vault in case these key files are damaged or lost.
If that’s a deal-breaker, consider switching back to VeraCrypt, but minimise the size of your vault (make multiple smaller vaults, rather than one large one). This helps reduce the amount of bandwidth used when uploading and downloading changes to encrypted files. Another approach is to use cloud storage for encrypted file and image-based backups (see box right).