PROTECT YOUR DATA
Encrypt files, folders, and even entire drives to keep your information secure.
Worried about the security and visibility of your data? Do you have sensitive files you want to keep away from potentially prying eyes? Worried that your cloud backup isn’t as secure as it might be? Concerned that the data on your laptop might be vulnerable to theft? Want to dispose of files – or an entire PC – without compromising the data (including previously deleted files) on it? You’ve come to the right place. In this feature, we explore numerous options for protecting your data, both data stored on your PC and that backed up elsewhere, whether on local storage or in the cloud. We also reveal how to ensure all data you delete is shredded beyond recovery, too, enabling you to pass on a PC or drive to a new home without having to worry about the data previously stored on it. When it comes to sensitive files, the solution lies in a process called encryption. File encryption works using cryptography to scramble the contents of files so they’re unreadable without the correct authentication – usually a password that is used to unlock an encryption key, which in turn decrypts the file so it’s readable. Some encryption can be further strengthened by the requirement of additional forms of authentication such as so-called key files or physical devices, like smart cards. Encryption keys are created using special algorithms. Common examples include Advanced Encryption Standard (AES) and Twofish. The higher the bitrate, the more secure the key, so 256-bit is better than 128-bit, and 512-bit is better than 256-bit. Encryption is a resource-heavy process, particularly as bitrates increase, so be prepared to see protected files take longer to open or save. If you have a modern CPU, you’ll find AES is by far the quickest encryption standard, thanks to the implementation of hardwareaccelerated AES encryption on supported processors. Encryption can be performed on individual files or entire drives, and that’s where we begin our feature, with a comprehensive guide to scrambling the files on your PC. Turn the page to get started.
When it comes to encrypting individual files or entire drives, there are numerous options available. If you’re running the Pro, Enterprise, or Education version of Windows 10, you’ll find built-in options exist in the form of BitLocker and
EFS – the box opposite reveals how BitLocker works and what you need to run it. EFS – Encrypting File System – enables you to individually encrypt files or folders using your Windows password as the encryption key. If the drive is stolen, the files are unreadable without your Windows account password.
To encrypt one or more files or folders, select them in File Explorer, right-click the selection, and choose Properties. Click Advanced, then tick the box next to Encrypt contents to secure data. Click OK then Apply – you’re prompted to encrypt the parent folder if applicable for greater security. Make your choice, then click OK.EFS is a simple but relatively weak way to encrypt files. If you’re looking for something stronger, or don’t trust Microsoft with keeping your data secure, read on.
Simple, fast file encryption
If you only need to encrypt individual files on a semi-regular basis – or wish to encrypt files before sharing them with others – the open-source tool
AES Crypt ( www.aescrypt.com) is all you need. Download and install the program, then going forward, simply right-click the file you wish to protect, and choose AES Encrypt. Enter a strong password – the more characters, the stronger the encryption – and click
OK. An encrypted copy of the file with an .aes file extension is created, unreadable to anyone who doesn’t know the password.
If you want to share the file with others, send them the encrypted version, then communicate the password separately and securely. They need to install AES Crypt before double-clicking the file and entering the password required to extract the decrypted original.
It’s also possible to encrypt Office documents – but encryption is only effective in Word 2007 or later when first AES 128-bit, and more recently (from Office 2016) AES 256-bit, encryption is employed. To do so in Office 2007 or later, select the File tab and choose Info > Protect Document > Encrypt with Password.
If you want stronger encryption for individual files or folders, Gpg4win ( www.gpg4win.org) works in a similar fashion to AES Crypt, with the added bonus of allowing you to encrypt files using public keys protected by passphrases for additional security. After installation, launch the Kleopatra tool and choose File > New Key Pair, then select Create a personal OpenPGP key pair to get started. Once done, you can then encrypt files by right-clicking them in File Explorer and choosing Sign and encrypt to use your key (you can also encrypt files with a simple password, too, if you prefer).
A one-stop solution
AES Crypt and Gpg4win are perfect for occasional encryption, but you’ll need to re-encrypt your files each time you make changes to them. If you want a more comprehensive, flexible solution, VeraCrypt ( www.veracrypt.fr/en/) pretty much does it all. It can be used in a variety of ways to meet most people’s needs – like BitLocker, you can encrypt entire drives, including your Windows boot drive, but you can also restrict its use to a specific set of sensitive files using a smaller virtual encrypted container, which resides as a file on your hard drive.
The app is available for Windows, Mac, and Linux, so you can use it across all your computers. There’s a portable version available, too, which can do everything except encrypt your boot drive. After downloading and installing (or extracting to your portable apps folder), launch the program – Veracrypt-x64.exe if you’re running the portable version – and you will find yourself at the main VeraCrypt window.
Create a virtual drive
The VeraCrypt Volume Creation Wizard now opens, with Create an encrypted file container selected by default. This is the safest option, because it merely creates a single file on an existing hard drive, inside which all your sensitive data will be stored for you. There’s no risk to any other files or drives. To proceed, click Next.
Two types of volume can be created – to simply protect the data if the drive it’s on is lost or stolen, leave Standard TrueCrypt volume selected, and click Next again. Skip to the next section. You’ll also see an option to create a hidden volume, with an explanation about why you might want one. Hidden volumes are created inside standard TrueCrypt volumes, hiding themselves in their free space.
First-time users should select Hidden TrueCrypt volume then Normal mode to create a standard TrueCrypt volume inside which your hidden volume will be created. If you’ve already created a
standard volume, you can choose Direct mode instead when prompted, and follow the prompts to set it up inside your standard TrueCrypt volume. In either event, the wizard follows a similar process to that for standard volumes, as described below.
One tip if you plan to create a hidden volume: Be sure to save selected files to the standard volume. An empty standard volume would arouse suspicion among those you’re trying to hide your data from.
Set up a standard volume
Click the Select File… button, browse to your USB thumb drive, then type a new file name into the File name box. Avoid using a file extension – this can be problematic – and click Save. Click Next to choose your encryption options for the volume. Five encryption algorithms are supported: AES, Serpent, Twofish, Camellia, and Kuznyechik – select one at a time for a description. Beneath these are no fewer than ten combinations of two or more algorithms for those who want multiple layers of encryption. The truly paranoid can click the Test button next to an option to verify VeraCrypt’s implementation of the selected algorithm is compliant with certain standards.
Click the Benchmark button to open the Algorithms Benchmark window, then click Benchmark to compare the performance of each encryption algorithm. The process of encrypting and decrypting data will have an impact on disk write/read speeds, and you can compare the different algorithms (single and combined) from here. Straight AES encryption is recommended for most people, or AES combined with Twofish if you want a second layer.
Beneath the encryption algorithm, you’ll see a section on hash algorithms, complete with a handy link explaining how they work. These are basically used to generate the encryption keys and salt (random data used to protect your password from hackers). Five hash algorithms are currently supported, but for most people, the default SHA-512 is fine – you might choose SHA-256 if performance is more important than security.
Extra authentication
Once you’ve chosen your options, click Next. You’re now prompted to set a size for your file container. Choose a figure based on how much data you need to encrypt and how much free space is available. Click Next to enter a password – you’ll need this to access your files in future, so make sure it’s memorable (or stored somewhere secure, like a self-hosted Bitwarden password manager), but also tough to crack. Try to make it at least 20 characters in length.
Gain additional protection by ticking Use keyfiles and clicking the Keyfiles button. This adds another layer of protection: Not only do you have to enter your password correctly, but you also need to select whichever file (or files)
you choose to be linked to your container. These files can be already present on your hard drive – choose a compressed format such as MP3 or Zip – or you can have VeraCrypt generate a new random key file from scratch. Either way, make sure the files are backed up somewhere safe, because if they’re deleted or the first 1,024KB of data is changed, your vault will be impossible to access.
Checking the Use PIM box creates an additional step after clicking Next, where you can set a custom Personal Iterations Multiplier. The default setting (485) prioritises security over speed when mounting the volume after each system boot – should you wish to reduce the time taken, you can set a lower value, but make sure you’ve set a lengthy password.
Format and mount
After clicking Next, you’re asked if you plan to store files larger than 4GB in your new virtual drive – this determines which filesystem is set as the default in the next step (exFAT if yes, FAT if no). Click Next and you’re ready to configure and format your volume. You can change the filesystem here – NTFS and ReFS are also available – plus choose whether to perform a quick format (not recommended). Checking Dynamic means the file containing your encrypted volume isn’t formatted as its actual size, but instead increases in size as you add content to it – this comes with several warnings, not least of which are severely degraded performance and reduced security.
You’ll see a prompt to move your mouse within the VeraCrypt window to improve the cryptographic strength of the volume’s encryption keys. When you’ve configured the drive and the Randomness Collected From Mouse Movements meter is full, click Format, and the encrypted volume is created. Wait until the confirmation dialog box appears, then click OK followed by Exit to return to the main VeraCrypt window, ready to access your encrypted container for the first time.
Select a free drive letter from the list and click the Select File button to choose your encrypted container.
Click the Mount button and then enter the volume’s password before – if applicable – clicking the Keyfiles… button to select the required files that will give you access to your container when you click OK.
You’ll see a Mount Options… button; clicking this reveals options such as opening the volume in read-only fashion, or assigning it a specific drive label in Windows. If your volume contains a further hidden volume, be sure to tick Protect hidden volume against damage caused by writing to outer volume to safeguard its contents.
After clicking OK, wait while the volume is mounted – you should see your encrypted container appear in the main VeraCrypt window. It can now be accessed like any other drive – copy or
save files directly into here to ensure they’re protected going forward. When you’ve finished with the drive, rightclick its entry in the VeraCrypt window, and choose Dismount to lock it away from prying eyes.
Encrypt Windows
VeraCrypt can also be used to encrypt your entire Windows installation. All files remain encrypted on your disk even in use – they’re simply decrypted on demand to allow Windows and your apps to run normally without exposing the data to potential problems, such as sudden power loss.
This form of encryption is particularly suitable for those who carry sensitive information with them – typically on a laptop. Take a drive image backup before you begin, then launch VeraCrypt and choose Create Volume > Encrypt the system partition or entire system drive. Again, standard and hidden options are available (click More information if you like the idea of hiding your OS from view – it’s a long, detailed subject, and involves creating a ‘decoy’ OS).
Assuming you simply want to encrypt the drive, leave Normal selected and click Next. You can opt to simply encrypt the Windows partition, or the entire drive (so all partitions on the primary hard drive). If in doubt, encrypt the system partition only – you may get a warning when attempting to encrypt the entire drive about losing access if it has a so-called ‘inappropriately designed’ BIOS.
The next step informs VeraCrypt whether you have a single-boot or multiboot system, and then it’s a similar process as for creating an encrypted virtual drive.
There’s just one caveat: you can only protect your system drive with a strong password; key files aren’t supported. You also need to create rescue media – don’t skip this step, because it’s required to both permanently decrypt your drive and provide protection against corruption.
Different media is required depending on whether your boot mode is EFI (USB flash drive) or MBR (CD/DVD) – just follow the prompts to create and verify the media. The recovery media is tied to your specific PC and the current password you’ve assigned to your boot drive. If you make any hardware changes, you need to recreate it.
You next see the Wipe Mode screen, which enables you to securely overwrite the unencrypted copies of your files after they’ve been encrypted – the more passes, the slower the process, so unless you have reason to be truly paranoid, none or just ‘1-pass’ should be sufficient.
Test and encrypt
You’re now ready for the drive to be encrypted – first, a pretest is run to verify everything works as it should do. Your PC reboots, and you’re prompted to enter the password you just set up. When prompted for the PIM, just press Enter unless you manually specified this value. Wait for the password to be verified – then Windows boots as normal.
If the test passes, click the Encrypt button and VeraCrypt starts to encrypt your drive’s contents (a Defer button is also present if you wish to back up data first – you’re then prompted again the next time Windows is restarted). Unlike with encrypting non-system volumes, you can carry on using your PC while the drive is encrypted. Once complete, your computer’s contents are protected against theft and other threats, ensuring any data stored on the drive is secure.
Encrypt entire drives
VeraCrypt can also be used to encrypt other drives and partitions, from internal data drives to USB thumb drives. As with all major operations, we strongly recommend you first take a full image of your hard drive before starting the process – just in case. Once the drive is safely encrypted, you can safely delete this backup. However, if you plan to keep the backup, check out the box overleaf about encrypting your backups.
The creation process is similar to setting up virtual drives. Start by selecting Encrypt a non-system partition/drive on the first page of the wizard. Choose whether the volume will be a standard one or hidden, then click Next. Click Select Device… to choose your target drive or partition.
The next step is crucial – you have a choice between Create encrypted volume
and format it (destructive, and best for empty drives or drives with no data worth keeping) and Encrypt partition in place. The latter is much slower but preserves existing data . If creating an encrypted volume from scratch, the process is virtually identical to creating virtual drives.
Once the drive has been encrypted, read any warning messages, then click Finish. To mount the drive, select the drive letter you wish to assign to it, then click Auto-mount Devices. Enter the credentials required, wait, and then the drive is mounted and available.
Ordinarily, you have to do this every time you restart Windows – to have the drive automatically mount when you log into Windows, right-click it in the main VeraCrypt window after mounting, and choose Add to Favorites. Be sure to check Mount selected volume upon logon before clicking OK. In the future, you will be prompted to provide the password and any key files each time you log into Windows, and then the drive will be available.
One problem with this approach occurs if you’ve moved system folders – such as user folders or those linked to cloud services – on to this encrypted storage space. You get errors about missing folders before you unlock the drive. If you’ve encrypted your Windows boot drive, you can get around this by ensuring the password on your data drive is the same as that required to unlock your Windows boot drive, then choose Add to System Favorites – this way, the drive is unlocked with your boot drive, and available when Windows loads.
Encrypt cloud backups
VeraCrypt can protect your files locally, but copy them anywhere else, and they’re left unprotected. The box opposite reveals what to do about protecting local backups using the same types of algorithms with suitable backup software, but what about those files you back up to the cloud? Cloud providers claim to encrypt your files, but sometimes that only applies to the way the files are transferred – when stored ‘at rest’ in the cloud, they may be left unencrypted, and therefore potentially vulnerable.
Even where encryption is provided, is it true end-to-end encryption, where only you possess the all-important encryption keys required to decrypt the files? Some cloud providers – SpiderOak ( https:// spideroak.com) and Tresorit ( https:// tresorit.com), for example – adopt this
‘no knowledge’ policy, but others don’t.
You don’t need to switch cloud provider to get this kind of protection; instead, add your own layer of encryption to critical files, with keys not shared with anyone else. An opensource encryption tool designed for cloud-based storage is Cryptomator ( https://cryptomator.org), which works with any cloud provider from OneDrive to Dropbox. The principle is identical to VeraCrypt: You create a passwordprotected virtual drive – or vault – inside which your sensitive files are stored. The key difference is that Cryptomator encrypts files and folders individually, rather than as part of a larger file, so changes are smaller and quicker to upload and download.
Create a container
To start, go to www.cryptomator.org/ downloads and click Download 64 Bit. Once saved to your hard drive, doubleclick the setup file, and follow the install prompts, making sure you install the Dokan File System Driver when asked. Reboot if prompted.
Open Cryptomator via the Search box or Start menu, then enable the integrated update check when prompted to ensure Cryptomator stays up to date. Click the ‘+’ button and choose Create New Vault. Navigate to your cloud folder, give your vault a suitable name (this will be the name of the folder containing your encrypted files on the drive, so don’t make it too obvious), and click Save.
You’re prompted to create a password to protect the vault and access it from other computers or mobile devices. We recommend generating a long random one using your password manager (store the password as a secure note). Once entered and safely recorded, click Create Vault.
Click More Options to save the password and automatically mount the drive at startup (only recommended on a secure PC). You can also change the drive name and choose a drive letter. Then enter your password and click Unlock Vault.
A new Explorer window eventually opens, pointing to your new virtual drive (it’s also accessible via This PC under Network locations) – simply copy or save files in here, and they’re encrypted securely before being uploaded to the cloud.
When done, you can leave the drive unlocked until you shut down your PC or – if security is an issue – open the main window and click Lock Vault to close it down (enter your password and click Unlock Vault to bring it back later if you need to).
You can access your cloud-hosted vault from other computers by installing Cryptomator on there and choosing Open existing vault. There are even paid-for apps for Android or Apple phones if you need to upload sensitive files while on the road.
Shortcomings
Our main gripe with Cryptomator is that its presence can’t be hidden – and, in fact, is blindingly obvious to any hacker combing through your folders. That’s because its master key is visible inside the folder containing your encrypted data (even the name – masterkey. cryptomator – isn’t subtle). This highlights the need to keep an independent backup of any data stored in a Cryptomator vault in case these key files are damaged or lost.
If that’s a deal-breaker, consider switching back to VeraCrypt, but minimise the size of your vault (make multiple smaller vaults, rather than one large one). This helps reduce the amount of bandwidth used when uploading and downloading changes to encrypted files. Another approach is to use cloud storage for encrypted file and image-based backups (see box to the right).