Securing Sensitive Files

Sensitive files can be secured using different methods. It is important to understand the pros and cons of each in order to pick the best one for your needs. Some of the considerations you should pay attention to is:

  • Usability
  • Encryption algorithms
  • Integrity protection
  • Password management
  • Password strengthening
  • Allows the use of public keys
  • Second factor authentication support using hardware dongles/smart cards

Encrypted Archives

Most archival software has the capability to add a pass phrase for archive protection. Based on the archive software specific encryption algorithm will be used to protect the files. The best way to ensure protection is not only to ensure confidentiality using encryption but also to guarantee integrity using a digital signature most commonly done with a keyed hash. The tools that support archival encryption are:

  • 7-zip
  • WinZip
  • WinRaR

Summary:

  • Easy to use
  • Difficult to manage pass phrases for many different archives
  • Difficult to update an archive once it is created, especially if it has a large number of files or large files
  • Most archival software doesn’t support authenticated encryption

Basic Encryption Tools

Basic encryption tools don’t provide archival capabilities but purely encrypt a file. Each file is encrypted with its own pass phrase or your public key:

  • PGP
  • AxCrypt
  • AES Crypt

Summary:

  • Easy to install and use
  • Difficult to manage different pass phrases for each file
  • PGP is complex and requires careful understanding of its configuration
  • Some of the tools in this category don’t support authenticated encryption

Application specific encryption

This section include applications that provide file protection as part of their interface. For exasmple:

  • Password protected Word, Excel, PowerPoint files
  • Password protected PDFs

Summary:

  • These applications already support encryption so it is convenient to use it out of the box
  • It is hard to manage all the passwords for the different files
  • Some applications provide very weak security by using old or inefficient algorithms
  • There can be version mismatch where a file is encrypted with different version of the software and can’t be opened

Encrypted Volumes (not optimized for cloud)

Encrypted volumes are much easier to work with. Once a volume is created encrypted files are added or deleted with ease. The user doesn’t need to manually encrypt each file with a separate pass phrase.

  • VeraCrypt
  • TrueCrypt (deprecated)

Summary:

  • Easy to use but not cloud optimized
  • Fixed size of each volume that can’t grow dynamically
  • Not cloud friendly – if a file is changed the whole contents of the volume needs to be synced to the cloud

Encrypted Volumes (optimized for cloud)

Encryption tools that are optimized for the cloud provide many additional benefits over the previously discussed tools. First they are network optimized to make sure only the changed parts of a file are synchronized with the cloud. Second they are using modern security technology that creates a better security model for your data. This includes better encryption and integrity algorithms.

  • BoxCryptor (not free)
  • Cryptomator
  • GoCryptFs
  • KeybaseFS

Summary:

  • State of the art encryption
  • Great cloud native operations
  • Efficient network synchronization
  • Easy to use
  • Can support large files

Leave a Reply

%d bloggers like this: