A secure and open source encryption software should always be used to encrypt all personal data, emails, messages, instead of trusting a particular entity.
Most of the companies love to advertise that they encrypt your data, but they hold the keys too, which means they can easily decrypt it.
All sensitive data should be encrypted on the client-side before sending it anywhere, don’t rely on the encryption provided by the apps and services that you use.
This article will cover all the ways one can encrypt their data, pretty much everything else one needs to know about encryption,
Password protection vs. Encryption
Encryption is not the same thing as password protection. Just because something is password protected, doesn’t mean it’s encrypted.
Password protection is kinda like putting a padlock on a box with the data inside it. If you broke the box up or somehow get access to data inside the box, that password or padlock is useless.
On the other hand, Encryption literally alters the data, rendering it useless without the correct key. The only way to get the data back is to know the “key”, which is usually a password or a passphrase that can be used to decrypt the data.
Something that is password protected only hides something from sight, while, something encrypted physically alters the data.
You can give that data to anyone you want, and they can read it bit for bit, but without the key to decrypting that data, those bits are useless.
This means most of those “app locks” on your phones are kinda dumb, they give you a false sense of protection.
Encrypting Personal Data
With all of that out of the way, let’s see how you can securely encrypt your hard drive, and other important files.
There are basically two ways of doing encryption: Symmetric Encryption & Asymmetric Encryption
|Symmetric Encryption||Asymmetric Encryption|
|A single key is used to perform both encrypt and decrypt the data||A pair of keys: “public” and “private” are used by both parties to encrypt and decrypt data|
The Public key is used for Encryption
The Private key is used for Decryption
|The key needs to be shared securely to the other party for encryption/decryption||The “public key” can be shared publicly which can be used by anyone to encrypt the data, which can only be decrypted by the “private key” of that particular public-private key pair.|
|There is a shared secret among the concerned parties aka the shared key||The public key can be shared publicly for anyone to send encrypted messages to that particular person|
|Extremely fast, and requires low computing power||Slower than Symmetric Encryption, and requires a lot of computing power|
|Can encrypt lots of data||Can only be used to encrypt only small amount of data|
|Examples: AES, DES, RC4||Examples: RSA, DSA, Diffie Hellman|
The Asymmetric key encryption algorithms like RSA are amazing and extremely secure, but they can only be used to encrypt small amount of data, this is why a Hybrid approach is used to perform encryption:
The actual message or data is encrypted via the Symmetric Key encryption, and then that symmetric key is then encrypted using Asymmetric Key Encryption, before sending both the actual data and the encrypted symmetric key to the other person.
Electronic Frontier Foundation has a pretty good explainer about how both of these encryption techniques are done.
Encryption can be done at different levels:
Encrypting Data In Transit
Data In Transit is the data that is moving over a network from one place to another. Sending messages, making video calls, etc are a good example of data in transit as data is moving from your device, to the app company’s servers, to your recipient’s device.
Web browsing is another example where data travels to and from your device and the website’s server. There are basically two ways to implement encryption on data that is in transit:
1. Transport-Layer Encryption
Also known as Transport Layer Security or TLS, protects the data as they travel from your device to the server and from the server to your recipient. You, the middle server, and the recipient has access to the unencrypted data in this case.
TLS works great when you are browsing the web, not so much, when you are, say, chatting or video calling as the middle server has access to all the data. TLS coupled with end-to-end encryption is the way to go for communications online.
Examples: HTTPS (Hyper Text Transfer Protocol Secure) & VPN (Virtual Private Network)
2. End-to-End Encryption
End-to-End Encryption or E2E Encryption protects data in transit all the way from sender to the receiver. Only you and the recipient has access to the unencrypted data in this case.
E2E Encryption is great for online communications, you should also make sure it is implemented correctly, I have written about encrypted messaging apps that are open source, use end-to-end encryption, and respect your privacy.
EFF has an amazing explainer on End-to-End Encryption
Examples: Signal and other end-to-end encrypted messaging apps.
Transport-Layer or End-to-End Encryption
The key question to ask to differentiate end-to-end and transport-layer encryption is:
Do you trust the app or service you are using? Do you trust its technical infrastructure? How about its policies to protect against law enforcement requests?
If the answer is “no,” then you need E2E encryption. If your answer is “yes” to the questions, then a service that supports only TLS may be sufficient for you — but I would still recommend an end-to-end encrypted service.
This diagram from eff.org sums up both transport layer & end-to-end encryption:
Encrypting Data at Rest
Data At Rest is the data that is stored somewhere: on your phone, computer, server, or any other storage device, for example.
There are two ways to go around encrypting data at rest:
1. Full-Disk Encryption
Also known as Device Encryption, protects all the data that is stored on a device by encrypting all the data, with a passphrase, passwords, or any other authentication method.
On a phone or laptop, this usually looks just like a typical device lock screen, requiring a PIN, password, or thumbprint.
However, just locking your device (i.e., requiring a password to “unlock” your device) does not always mean that full-disk encryption is enabled, it just means you have enabled password protection which isn’t the same as encryption as discussed above.
2. File Encryption
File Encryption protects only specific, individual files, on a computer or storage device, by encrypting them, with a passphrase, password, or any other authentication method.
I’ll be discussing ways to encrypt data at rest, including both full-disk encryption, and file encryption.
Secure Encryption Software
Enough intro, let’s get into secure encryption softwares that you can use to do full-disk encryption as well as individual file encryption.
VeraCrypt is a free and open source disk encryption software by IDRIX, which is based on the now defunct TrueCrypt encryption software, used for on-the Fly encryption.
You can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device with pre-boot authentication. All encryption is automatic, real-time, and transparent.
It also provides you with plausible deniability, in case an adversary forces you to reveal the password by creating a Hidden Operating System or Hidden Volume on your computer.
According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
Here’s short video by TechLore explaining how you can use VeraCrypt:
7-Zip is a free and open source file archiver, that can be used to create AES-256 encrypted zip and 7z archives. It is extremely light-weight with support for multiple formats like 7z, XZ, BZIP2, GZIP, TAR, ZIP and WIM.
The compression ratio is amazing when used in 7z format with LZMA and LZMA2 compression, On Linux and MacOS, the command-line tool p7zip is used and integrates into various interfaces such as FileRoller, Xarchiver, Ark.
Hat.sh is a free, open source, cross-platform, web app provides secure file encryption using the AES-256-GCM algorithm from WebCryptoAPI included in most modern browsers.
It is incredibly easy to use, the app never uploads the files to the server. There is no file size limit, and it works offline right from your browser. You can also download it and run it offline.
Linux Unified Key Setup (LUKS)
LUKS is a free and open source full disk encryption system for Linux that uses dm-crypt as the disk encryption backend. It stores all setup necessary setup information in the partition header, enabling you to transport or migrate your data seamlessly.
It is the de-facto standard encryption method used on most Linux-based operating systems.
There is an awesome free and open source tool called Tomb, that lets you create a locked folder that can be safely transported and hidden in a filesystem, it simplifies the creation and management of LUKS containers via the command line.
Cryptomator is free and open source client-side encryption software that lets you encrypt files before uploading it to a cloud service provider of your choice.
It works by creating a password-protected encrypted folder in your Google Drive, OneDrive, Dropbox, etc., and then syncing all your files in that encrypted folder.
To access the encrypted folder, you’ll need to enter the password, it’s kinda like a virtual encrypted drive in your Dropbox or Google Drive.
GNU Privacy Guard
GnuPG is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis’ Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems.
Secure Encryption Tools Conclusion
I would recommend using VeraCrypt or LUKS for full disk encryption of your computer, 7-Zip & Hat.sh are a great pick if you want to encrypt individual files on your computer. I really like the idea of using Cryptomator as it seamlessly encrypts the data on the public cloud.
That’s all folks!
I will be updating this page frequently with more encryption tools and information.