You should always use a secure and open source encryption software to encrypt your data in hard drives, emails, messages — don’t trust any company with your data, always encrypt your data.
Encryption is not the same thing as password protection. Just because something is password protected doesn’t mean it’s encrypted.
Most of the companies love to advertise that they encrypt your data, but they hold the keys too — encrypt your data before sending it anywhere, don’t rely on the encryption provided by the apps and services that you use.
Password protection vs. Encryption
Encryption is not the same thing as Password protection.
Password protection is kinda like putting a padlock on a box with the data inside it. If you broke the box up or somehow get access to data inside the box, that password or padlock is useless.
Encryption literally alters the data, rendering it useless. The only way to get the data back is to know the “key”, which is usually a password that can decrypt the data.
A password is just a key that opens a lock. It hides something from sight. Something encrypted physically alters the data. You can give that data to anyone you want, and they can read it bit for bit, but without decrypting the data those bits are useless. You can learn more about encryption here.
I hate to break it to you guys, but all those app locks on your phones are just plain stupid, they give you a false sense of protection.
Encrypting Personal Data
With all of that out of the way, let’s see how you can securely encrypt your hard drive, and other important files. There are different types of Encryption:
Encrypting Data In Transit
Data In Transit is the data that is moving over a network from one place to another. Sending messages, making video calls, etc are a good example of data in transit as data is moving from your device, to the app company’s servers, to your recipient’s device.
Web browsing is another example where data travels to and from your device and the website’s server. There are basically two ways to implement encryption on data that is in transit:
1. Transport-Layer Encryption.
Also known as Transport Layer Security or TLS, protects the data as they travel from your device to the server and from the server to your recipient. You, the middle server, and the recipient has access to the unencrypted data in this case.
TLS works great when you are browsing the web, not so much, when you are say chatting or video calling as the middle server has access to all the data. TLS coupled with end-to-end encryption is the way to go for communications online.
Examples: HTTPS (Hyper Text Transfer Protocol Secure) & VPN (Virtual Private Network)
2. End-to-End Encryption.
End-to-End Encryption or E2E Encryption protects data in transit all the way from sender to the receiver. Only you and the recipient has access to the unencrypted data in this case.
E2E Encryption is great for online communications, you should also make sure it is implemented correctly, check out this post on encrypted messaging apps that are open source, use end-to-end encryption, and respect your privacy.
Check out this article by EFF to learn more about End-to-End Encryption.
Examples: Signal and other end-to-end encrypted messaging apps.
Transport-Layer or End-to-End Encryption
A key question to ask to differentiate end-to-end and transport-layer encryption is: Do you trust the app or service you are using? Do you trust its technical infrastructure? How about its policies to protect against law enforcement requests?
If the answer is “no,” then you need E2E encryption. If your answer is “yes” to the questions, then a service that supports only TLS may be sufficient for you — but i would still recommend an end-to-end encrypted service.
This diagram from eff.org sums up both transport layer & end-to-end encryption:
Encrypting Data at Rest
Data At Rest is the data that is stored somewhere: on your phone, computer, server, or any other storage device, for example.
There are two ways to go around encrypting data at rest:
1. Full-Disk Encryption.
Also known as Device Encryption protects all the data that is stored on a device by encrypting all the data, with a passphrase, passwords, or any other authentication method.
On a phone or laptop, this usually looks just like a typical device lock screen, requiring a PIN, password, or thumbprint.
However, just locking your device (i.e., requiring a password to “unlock” your device) does not always mean that full-disk encryption is enabled, it just means you have enabled password protection which isn’t the same as encryption as discussed above.
2. File Encryption.
File Encryption protects only specific, individual files, on a computer or storage device, by encrypting them, with a passphrase, password, or any other authentication method.
I’ll be discussing ways to encrypt data at rest, including both full-disk encryption, and file encryption.
Secure Encryption Software
Enough intro, let’s get into secure encryption softwares that you can use to do full-disk encryption as well as individual file encryption.
VeraCrypt is a free and open source disk encryption software by IDRIX, which is based on the now defunct TrueCrypt encryption software, used for on-the Fly encryption.
You can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device with pre-boot authentication. All encryption is automatic, real-time and transparent.
It also provides you with plausible deniability, in case an adversary forces you to reveal the password by creating a Hidden Operating System or Hidden Volume on your computer.
According to its developers, security improvements have been implemented and issues raised by the initial TrueCrypt code audit have been addressed.
Here’s a short video by TechLore explaining how you can use VeraCrypt:
7-Zip is a free and open source file archiver, that can be used to create AES-256 encrypted zip and 7z archives. It is extremely light-weight with support for multiple formats like GZIP, TAR, WIM and strong integration with windows shell.
There is a powerful command line version too, with high compression ratio in 7z format with LZMA & LZMA2 compression. On Linux, macOS etc. the command-line tool p7zip is used and integrates into various interfaces such as FileRoller, Xarchiver, Ark.
It is incredibly easy to use, the app never uploads the files to the server. There is no file size limit, and it works offline right from your browser. You can also download it and run without opening the website.
Linux Unified Key Setup (LUKS)
LUKS is a free and open source full disk encryption system for Linux using dm-crypt as the disk encryption backend. It stores all setup necessary setup information in the partition header, enabling you to transport or migrate your data seamlessly.
Tomb provides you with a simple zsh script to create and manage LUKS containers via the command line.
Cryptomator is free and open source client-side encryption software that lets you encrypt files before uploading it to a cloud service provider of your choice. Only you get access to the keys to your data. It allows you to access your files from all your devices, by integrating seamlessly between your data and the cloud.
GNU Privacy Guard
GnuPG is a GPL-licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis’ Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems.
It is a part of the Free Software Foundation’s GNU software project, and has received major funding from the German government.
Secure Encryption Tools
I would recommend using VeraCrypt or LUKS for full disk encryption of your computer instead of something like BitLocker, 7-Zip & Hat.sh are a great pick if you want to encrypt individual files on your computer. I really like the idea of using Cryptomator as it seamlessly encrypts the data, while letting me access it from the cloud.
That’s all folks!
I will be updating this page frequently with more encryption tools, and information.