Every time I hear about a scandal involving leaked documents, I wonder to myself, why weren't they encrypted? Encryption is everywhere, after all. Chrome now puts a little warning marker in the Address Bar next to any non-secure HTTP address. Google is giving HTTPS links precedence in search results over plain, unsecured HTTP links. (The S stands for secure) The Electronic Frontier Foundation aims to protect web traffic by encrypting the entire internet using HTTPS. If you encrypt all of the sensitive documents on your desktop or laptop, a hacker or laptop thief won't be able to parley their possession into identity theft, bank account takeover, or worse. You can also safely share those encrypted documents with others, transmitting the decryption password under separate cover. To help you select an encryption product that's right for your computer, we've rounded up a collection of current products. As we review more products in this area, we'll update the list.
File Encryption, Whole-Disk Encryption, and VPNs
In this roundup, I'm specifically looking at products that encrypt files, not at whole-disk solutions like Microsoft's Bitlocker. Whole-disk encryption is an effective line of defense for a single device, but it doesn't help when you need to share encrypted data.
You can use a Virtual Private Network, or VPN, to encrypt your own internet traffic. From your PC to the VPN company's server, all your data is encrypted, and that's a great thing. However, unless you're connected to a secure HTTPS website, your traffic is not encrypted between the VPN server and the site. And of course the VPN's encryption doesn't just magically rub off on files you share. Using a VPN is a great way to protect your internet traffic when you're traveling, but it's not a solution for encrypting your local files.
No Back Doors
When the FBI needed information from the San Bernardino shooter's iPhone, they asked Apple for a back door to get past the encryption. But no such back door existed, and Apple refused to create one. The FBI had to hire hackers to get into the phone.
Why wouldn't Apple help? Because the moment a back door or similar hack exists, it becomes a target, a prize for the bad guys. It will leak sooner or later. In a talk at Black Hat this past summer, Apple's Ivan Krstic revealed that the company has done something similar in their cryptographic servers. Once the fleet of servers is up and running, they physically destroy the keys that would permit modification. Apple can't update them, but the bad guys can't get in either.
All of the products in this roundup explicitly state that they have no back door, and that's as it should be. It does mean that if you encrypt an essential document and then forget the encryption password, you've lost it for good.
Two Main Approaches
Back in the day, if you wanted to keep a document secret you could use a cipher to encrypt it and then burn the original. Or you could lock it up in a safe. The two main approaches in encryption utilities parallel these options.
One type of product simply processes files and folders, turning them into impenetrable encrypted versions of themselves. The other creates a virtual disk drive that, when open, acts like any other drive on your system. When you lock the virtual drive, all of the files you put into it are completely inaccessible.
Similar to the virtual drive solution, some products store your encrypted data in the cloud. This approach requires extreme care, obviously. Encrypted data in the cloud has a much bigger attack surface than encrypted data on your own PC.
Which is better? It really depends on how you plan to use encryption. If you're not sure, take advantage of the 30-day free trial offered by each of these products to get a feel for the different options.
Secure Those Originals
After you copy a file into secure storage, or create an encrypted version of it, you absolutely need to wipe the unencrypted original. Just deleting it isn't sufficient, even if you bypass the Recycle Bin, because the data still exists on disk, and data recovery utilities can often get it back.
Some encryption products avoid this problem by encrypting the file in place, literally overwriting it on disk with an encrypted version. It's more common, though, to offer secure deletion as an option. If you choose a product that lacks this feature, you should find a free secure deletion tool to use along with it.
Overwriting data before deletion is sufficient to balk software-based recovery tools. Hardware-based forensic recovery works because the magnetic recording of data on a hard drive isn't actually digital. It's more of a waveform. In simple terms, the process involves nulling out the known data and reading around the edges of what's left. If you really think someone (the feds?) might use this technique to recover your incriminating files, you can set your secure deletion tool to make more passes, overwriting the data beyond what even these techniques can recover.
An encryption algorithm is like a black box. Dump a document, image, or other file into it, and you get back what seems like gibberish. Run that gibberish back through the box, with the same password, and you get back the original.
The U.S. government has settled on Advanced Encryption Standard (AES) as a standard, and all of the products gathered here support AES. Even those that support other algorithms tend to recommend using AES.
If you're an encryption expert, you may prefer another algorithm, Blowfish, perhaps, or the Soviet government's GOST. For the average user, however, AES is just fine.
Public Key Cryptography and Sharing
Passwords are important, and you have to keep them secret, right? Well, not when you use Public Key Infrastructure (PKI) cryptography.
With PKI, you get two keys. One is public; you can share it with anyone, register it in a key exchange, tattoo it on your forehead—whatever you like. The other is private, and should be closely guarded. If I want to send you a secret document, I simply encrypt it with your public key. When you receive it, your private key decrypts it. Simple!
Using this system in reverse, you can create a digital signature that proves your document came from you and hasn't been modified. How? Just encrypt it with your private key. The fact that your public key decrypts it is all the proof you need. PKI support is less common than support for traditional symmetric algorithms.
If you want to share a file with someone and your encryption tool doesn't support PKI, there are other options for sharing. Many products allow creation of a self-decrypting executable file. You may also find that the recipient can use a free, decryption-only tool.
What's the Best?
Right now there are three Editors' Choice products in the consumer-accessible encryption field. The first is the easiest to use of the bunch, the next is the most secure, and the third is the most comprehensive.
AxCrypt Premium has a sleek, modern look, and when it's active you'll hardly notice it. Files in its Secured Folders get encrypted automatically when you sign out, and it's one of the few that support public key cryptography.
CertainSafe Digital Safety Deposit Box goes through a multistage security handshake that authenticates you to the site and authenticates the site to you. Your files are encrypted, split into chunks, and tokenized. Then each chunk gets stored on a different server. A hacker who breached one server would get nothing useful.
Folder Lock can either encrypt files or simply lock them so nobody can access them. It also offers encrypted lockers for secure storage. Among its many other features are file shredding, free space shredding, secure online backup, and self-decrypting files.
The other products here also have their merits, too, of course. Read the capsules below and then click through to the full reviews to decide which one you'll use to protect your files. Have an opinion on one of the apps reviewed here, or a favorite tool we didn't mention? Let us know in the comments.
Featured Encryption Software Reviews:
AxCrypt Premium Review
%displayPrice% at %seller% AxCrypt Premium makes encryption simple enough for any user, and even offers public key cryptography for secure sharing of encrypted files. Read the full review
CertainSafe Digital Safety Deposit Box Review
%displayPrice% at %seller% When backing up your sensitive files to the cloud, CertainSafe Digital Safety Deposit Box emphasizes security over all else, but it doesn't sacrifice ease of use. Read the full review
Folder Lock Review
%displayPrice% at %seller% Folder Lock can lock access to files for quick, easy protection, and also keep them in encrypted lockers for serious protection. It combines a wide range of features with a bright, easy-to-use interface. Read the full review
InterCrypto Advanced Encryption Package Review
%displayPrice% at %seller% InterCrypto's Advanced Encryption Package is by far the most feature-rich encryption tool we've tested. But its awkward and dated interface make it one that should be reserved for experts. Read the full review
Ranquel Technologies CryptoForge Review
%displayPrice% at %seller% CryptoForge offers a simple, context-menu-based approach to encryption and secure deletion, and it also handles text-only encryption. It's a fine choice for keeping your files safe. Read the full review
Steganos Safe 18 Review
%displayPrice% at %seller% Steganos Safe 18 creates secure encrypted storage for your sensitive files. It's very easy to use, and it offers some unique options for maintaining privacy and secrecy. Read the full review
Cypherix PE Review
%displayPrice% at %seller% Cypherix PC creates encrypted volumes for storing your sensitive files. Lock the volume and nobody can access the files. It does the job, though it lacks secure deletion. Read the full review
Cypherix SecureIT Review
%displayPrice% at %seller% Cypherix SecureIT handles the basic task of encrypting and decrypting files and folders in a workmanlike fashion, but it lacks advanced features offered by the competition. Read the full review
InterCrypto CryptoExpert 8 Review
%displayPrice% at %seller% Any file you drop into InterCrypto CryptoExpert 8's secure storage vaults gets encrypted when you lock the vault. It's easy to use, but it lacks some features and we found some confusing errors in our testing. Read the full review