Encryption is most probably the best technology we have to protect our data from adversaries, and it has developed to the point that it is virtually impossible to break—when used correctly; it’s all about making a message unintelligible except to the person who has the key to “decrypt” it into readable form.
Even though most service providers say that they encrypt your data, but the thing is: they hold the keys too, which means there’s literally nothing stopping them from decrypting your data.
Not to mention, most of them are not open-source, which means no one can even verify if encryption is being done properly; you just have to trust your service provider.
I recommend encrypting all sensitive data on your device before sending it, don’t rely on the encryption provided by the apps and services you use.
Password protection vs. Encryption
Encryption is not the same thing as password protection; just because something is password protected, doesn’t mean it’s encrypted.
Password protection is kinda like putting a padlock on a box with the data inside it, if you broke the box up or somehow got access to data inside the box, that password or padlock is useless.
On the other hand, encryption literally alters the data, rendering it useless without the correct key or password. The only way to get the data back is to know the “key”, which is usually a password or a passphrase that can be used to decrypt the data.
Something that is password protected only hides something from sight, while, something encrypted physically alters the data rendering it unintelligible—you can give that data to anyone you want, and they can read it bit for bit, but without the key to decrypting that data, those bits are useless.
Hate to break it to you, but most of those “app locks” on your phones are kinda dumb; they give you a false sense of protection by either moving the file to a different location or by just changing the file extension.
Encrypting Personal Data
With all of that out of the way, let’s see how you can securely encrypt your hard drive, and other important files.
There are basically two ways of doing encryption: Symmetric Encryption & Asymmetric Encryption
|Symmetric Encryption||Asymmetric Encryption|
|A single key is used to perform both encrypt and decrypt the data||A pair of keys: “public” and “private” are used by both parties to encrypt and decrypt data|
The Public key is used for Encryption
The Private key is used for Decryption
|The key needs to be shared securely to the other party for encryption/decryption||The “public key” can be shared publicly which can be used by anyone to encrypt the data, which can only be decrypted by the “private key” of that particular public-private key pair.|
|There is a shared secret among the concerned parties aka the shared key||The public key can be shared publicly for anyone to send encrypted messages to that particular person|
|Extremely fast, and requires low computing power||Slower than Symmetric Encryption, and requires a lot of computing power|
|Can encrypt lots of data||Can only be used to encrypt only small amount of data|
|Examples: AES, DES, RC4||Examples: RSA, DSA, Diffie Hellman|
The asymmetric key encryption algorithms like RSA are extremely secure, but they can only be used to encrypt small amount of data, this is why a Hybrid approach is used to perform encryption in most scenarios; where the actual message or data is encrypted via a symmetric key encryption algorithm, and then that symmetric key is encrypted using an asymmetric key encryption algorithm.
Electronic Frontier Foundation has a pretty good explainer about how both of these encryption techniques work, there are basically two ways to go about doing encryption: encrypting data at rest and encrypting data in transit.
Encrypting Data In Transit
Data in transit is the data that is moving over a network from one place to another: sending messages, making audio/video calls, and even browsing the web come in this category where the data is moving from your device, to the app company’s servers, to your recipient’s device accordingly.
There are basically two ways to implement encryption on data that is in transit: transport-layer encryption & end-to-end encryption.
Also known as transport Layer Security or TLS, protects the data as they travel from your device to the server and from the server to your recipient.
In this scenario, your device, the middle server, and the recipient’s device has access to the unencrypted data.
TLS works great when you are browsing the web, not so much, when you are, say, chatting or video calling as the middle server has access to all the data; TLS coupled with end-to-end encryption is the way to go for online communications.
Implementations: HTTPS (Hyper Text Transfer Protocol Secure) & VPN (Virtual Private Network)
End-to-end Encryption or E2E encryption protects data in transit all the way from sender to the receiver.
In this scenario, only you and the recipient has access to the unencrypted data, no one, including the app and their servers, can “listen in” and eavesdrop on your activity.
E2E Encryption works great for online communications, when implemented correctly, our guide on encrypted messaging apps has recommendations, this EFF explainer goes in a bit more depth on how end-to-end encryption works.
Implementations: Off-the-record protocol, Pretty Good Privacy, Signal, and other encrypted messaging apps.
Transport-Layer Security or End-to-End Encryption
The key question to ask to differentiate end-to-end and transport-layer encryption is: Do you trust the app or service you are using? Do you trust its technical infrastructure? How about its policies to protect against law enforcement requests?
If the answer is “no,” then you need E2E encryption. If your answer is “yes” to the above questions, then a service that supports only TLS may be sufficient for you.
This diagram from ssd.eff.org pretty much sums up both transport layer & end-to-end encryption:
Encrypting Data At Rest
Data at rest is the data that is stored somewhere, be it on your phone, computer, server, or any other storage device.
There are two ways to go around encrypting data at rest: full-disk encryption & file encryption.
Also known as device encryption, protects all the data that is stored on a device by encrypting all of it, with a passphrase, passwords, or any other authentication method; on a phone or laptop, this usually looks just like a typical device lock screen, requiring a PIN, password, or thumbprint.
However, just locking your device aka requiring a password to “unlock” your device does not always mean that full-disk encryption is enabled; it just means you have enabled password protection, which isn’t the same as encryption as discussed above.
File Encryption protects only specific individual files, on a computer or storage device, by encrypting them, with a passphrase, password, or any other authentication method.
I’ll be discussing ways to encrypt data at rest, including both full-disk encryption, and file encryption.
Secure Encryption Software
With all of that out of the way, here are some secure encryption tools that you can use to do full-disk encryption as well as individual file encryption.
VeraCrypt (Disk Encryption)
VeraCrypt is a free and open-source disk-encryption software by IDRIX, based on the now defunct TrueCrypt software, providing automatic, real-time(on-the-fly), and transparent encryption.
- Creates a virtual encrypted disk within a file and mounts it as a real disk.
- Encrypts an entire partition or storage device such as USB flash drive or hard drive.
- Encrypts a partition or drive where Windows is installed (pre-boot authentication).
- Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
- Provides plausible deniability, in case an adversary forces you to reveal the password: Hidden volume (steganography) and hidden operating system.
Here’s a short video by TechLore explaining how you can use VeraCrypt:
GNU Privacy Guard (Email Encryption)
GnuPG is a complete and free implementation of the OpenPGP standard, allowing you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories.
Hat.sh (File Encryption)
Hat.sh is a free and open-source web app provides secure file encryption in the browser. It started with using the WebCrypto API, but have now phased it out to the libsodium library for all cryptographic algorithms:
- XChaCha20-Poly1305 for symmetric encryption.
- Argon2id for password-based key derivation.
- X25519 for key exchange.
Hat.sh runs locally in your browser, no data is sent to anyone, there are no file size limits, works offline, and can be self-hosted.
Linux Unified Key Setup & Cryptsetup (Disk Encryption)
LUKS is a free and open-source full disk-encryption system for Linux-based on the DMCrypt kernel module, it is the standard hard disk encryption method on most Linux-based operating systems.
As a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords, and stores all necessary setup information in the partition header, enabling to transport or migrate data seamlessly.
Cryptomator (File Encryption)
Cryptomator is an open-source encryption tool that helps you encrypt files on any cloud provider of your choice, and giving only you access to the keys to decrypt the data.
It works by creating a virtual encrypted drive in your Google Drive, OneDrive, Dropbox, etc., to which you can move your data where cryptomator encrypts both files and filenames with AES automatically.
Tomb (File Encryption)
Tomb is a free and open-source zsh script for making LUKS containers on the command line, facilitating the backup of secret files; it works by generating an encrypted storage folders to be opened and closed using their associated keyfiles, which are also protected with a password chosen by the user.
Kryptor (File Encryption)
Kryptor is a free and open-source command line tool for Windows, macOS, and Linux, with the aim to be a better version of age and Minisign to provide a simple and user-friendly alternative to GnuPG; it also uses the libsodium library for all cryptography.
Note: Encryption is only as good as your password, if an adversary has your device, they have all the time in the world to figure out your passwords; use a strong passphrase and store it in a password manager or somewhere safe.
That’s all folks!
I will be updating this page frequently with more encryption tools and information.