Securing Sensitive Files

Sensitive files can be secured using different methods. It is important to understand the pros and cons of each in order to pick the best tool for your needs.

Encrypted Archives

Most archival software has the capability to add a pass phrase for archive protection. Different tools use different encryption algorithms. It is important to also look for authenticated encryption or AEAD. It provides extra integrity verification that ensures the archive hasn’t been tampered with. Some of the tools that support archival encryption are:

  • 7-zip
  • WinZip
  • WinRaR

Summary:

  • Easy to use
  • Widely available
  • Difficult to manage pass phrases for many different archives
  • Most archival software doesn’t support authenticated encryption
  • Can be slow to add new files to an existing large archive

Basic Encryption Tools

Basic encryption tools don’t provide archival capabilities. Their main purpose is to encrypt a file. Each file is encrypted with its own pass phrase or your public key. There is support for file compression. Some of them are cross-platform and run on most operating system.

Summary:

  • Easy to install and use
  • Difficult to manage different pass phrases for each file
  • PGP is complex and requires careful understanding of its configuration
  • Some of the tools in this category don’t support authenticated encryption

Application specific encryption

Some applications provide their own file protection as part of their interface. The protection mechanisms vary between different applications. In the past various applications were having issues protecting files. For example the encryption of Word documents before Office 2003 was insecure. Examples of application specific encryption:

  • Password protected Word, Excel, PowerPoint files
  • Password protected PDFs

Summary:

  • These applications already support encryption so it is convenient to use it out of the box
  • It is hard to manage passwords for different files
  • Some applications provide very weak security by using old and vulnerable algorithms
    • NOTE: The encryption of Word documents before Office 2003 is insecure.
  • There can be version mismatch where a file is encrypted with different version of the software and can’t be opened

Encrypted File Volumes (not optimized for cloud)

Encrypted volumes are much easier to work with. The volume is just a flat file on your disk so you can move it anywhere. When mounted the volume appears as a regular drive on your operating system. You can add/delete/edit files with ease. The user needs a single pass phrase to mount the volume and this applies to all added files. Volumes can be mounted and umounted at any time.

  • VeraCrypt
  • TrueCrypt (deprecated)

Summary:

  • Using a single password to open the volume can simplify working with many encrypted files
  • Easy to use
  • Fixed size of each volume that can’t grow dynamically can be frustrating
  • Not optimized for cloud storage – if a single file changes then the whole contents of the volume needs to be synced to the cloud

Full Drive Encryption (FDE)

Full Drive Encryption is great for preventing a stolen drive or laptop from being accessed without the passphrase. It depends what drive is encrypted. If it is the boot drive then as soon as the drive is booted into the operating system it is no longer protected as a logged-in user has complete access to all the files. The only way to protect your encrypted boot drive is to shutdown your computer. If a partition is encrypted then once it is “mounted” it appears as a drive on your OS. Most modern operating systems already have support for FDE and it is fairly simple to turn on. It does add a pace of mind that your data is protected if you lose your laptop. Some tools allow for hidden partitions that can add additional security to your files.

  • Bit Locker (Windows)
  • Veracrypt (Cross-Platform)
  • File Vault (Mac OS X)
  • dm-crypt (Linux)
  • PGP Full Disk Encryption

Summary:

  • Easy to use
  • Doesn’t protect files that are copied out of the encrypted disk
  • Doesn’t protect files on mounted volumes for the logged-in user
  • Not applicable to cloud storage as it only works on the physical disk or partition

Encrypted Mounted Volumes (optimized for cloud)

Encryption tools that are optimized for the cloud provide many additional benefits over the previously discussed tools. First, they are optimized for synchronization to cloud storage. Only the changed parts of the encrypted files are uploaded to the cloud. Second, they are using modern security algorithms such as authenticated encryption and public key cryptography. They allow managing and sharing encrypted files with ease. They work with different cloud storage providers so you’re not locked into one of them. They also provide local file protection.

  • BoxCryptor
  • Cryptomator
  • GoCryptFs
  • KeybaseFS

Summary:

  • State of the art encryption
  • Cloud integration
  • Efficient network synchronization
  • Easy to use
  • Can support large files
  • Allow easy password management and file sharing using public key encryption
  • Protect local and cloud files

Secure Cloud Providers

Secure Cloud Providers can offer various encryption mechanisms. The best ones use client-side encryption that protects your files before they are uploaded to the cloud. But the files are not encrypted on the client computer but rather only when uploaded to the cloud provider. Once the files are on the cloud server they stays encrypted at rest.

  • Sync.com
  • pCloud
  • Tresorit
  • ShareFile
  • NextCloud

Summary:

  • Provide backup capabilities as well as encryption
  • Can be used to share files securely
  • Can be used to synchronize files across multiple devices
  • Requires a separate account
  • Doesn’t work with existing cloud providers such as Dropbox or Google Drive
  • Force you to purchase secure file storage from them
  • Don’t encrypt the files on the client computer

Secure File Sharing

Secure File Sharing can take the form of a secure cloud storage provider or as a specialized tool aimed directly at file sharing. Different tools provide different capabilities.

  • Firefox Send (depricated)
  • Citrix ShareFile
  • Signal
  • Wire

Summary:

  • Can be used to easily and securely send files to other users
  • Some of them have size limitations
  • Additional complexity in managing users
  • Don’t provide encryption at rest

Secure e-mail

Securing email is hard. It is an old protocol that doesn’t natively support encryption. The best way to secure your emails is to use an extra mail plugin that runs in Outlook or Thunderbird or use a secure email provider. Nowadays secure email providers provide much better user experience with many options to secure your messages.

  • ProtonMail
  • PGP plugin for Outlook/Thunderbird
  • Hushmail
  • Mailfence
  • Tutanota
  • S/MIME

Summary:

  • Popular mean for sharing files
  • Can encrypt the body and attachments of emails
  • The password for decrypting the file has to be communicated using another method (out of band)
  • The user needs to have the same tools in order to decrypt the message