You naturally prefer to keep privacy-sensitive data to yourself and you have every right to do so. The best way to protect your data is strong encryption. In this article we will show you how to protect not only individual folders and files on your PC, but also entire (system) drives, USB sticks and your data in the cloud.
When you search the internet for tools to keep data away from snoopers, you often end up with techniques that somehow obscure your data. This ranges from simple interventions such as (temporarily) removing a drive letter in the Disk Management module of Windows, to applying ADS (alternate data streams), to commercial tools with a nice graphical interface such as Secret Disk or Wise Folder Hider.
All these methods have in common that the actual data content remains unchanged; only access is somehow masked. This approach alone offers insufficient guarantees (see also box).
For now, the best way to really make your data inaccessible to unauthorized persons is reliable encryption. In this article we therefore focus on (free) tools that use proven encryption algorithms. Let's first look at some solutions to encrypt individual folders and files. We then examine how to encrypt complete (system) partitions and USB sticks and finally we also provide you with a tool with which you can secure your data with various cloud storage providers.
Security by obscurity
There are various tools that are intended to protect your data against unauthorized persons. Unfortunately, there are also a lot of applications that only offer a false sense of security. This usually concerns proprietary techniques that try to hide your data in one way or another (security by obscurity). Just one example: Secret Disk. This tool stores your data in a virtual folder that in principle only becomes visible with the correct password. With a free tool like Process Monitor you can quickly find out the location of this hidden folder (C:\Users\AppData\Local\Administrator tool.{…}). It can then be opened when you access it, for example, with a live Linux medium. We notified the creator of this tool about this backdoor, but received no response.
01 AES Crypt
One of the better tools to encrypt individual folders and files is the free AES Crypt (available for Windows 32 and 64 bit, macOS and Linux). Of course, this has a lot to do with the encryption algorithm used: 256 bit Advanced Encryption Standard, which has been officially approved by the NIST (National Institute of Standards and Technology). In addition, the source code of AES Crypt has been made public, allowing anyone to check for potential backdoors.
After the installation you will find AES Crypt in the context menu of the Explorer: right click on a file (selection) and choose AES Encrypt. Enter a strong password twice and confirm with OK. Now an encrypted copy of your file(s) will be created with the extension aes. Keep in mind that you still have to delete the original data yourself if you wish. You decrypt your data in a similar way: right-click such an aes file, choose AES Decrypt and enter the appropriate password. AES Crypt can also be controlled from the command line.
02 Challenger: standard
The free Challenger tool is slightly more complex but also more flexible. The program is only available for Windows; the free version uses 128bit encryption. During the setup you can choose between an actual installation or a portable version. The latter offers the advantage that it can also be operated from a USB stick.
On the first startup, enter as start-password the default password Berlin in. After your confirmation, a new dialog box will appear. Press the button here Manage passphrases, select Channel A – Masterphrase and click New, after which you enter a strong password (2x). Confirm with OK and with close. You will now be taken to the main window where you can click Activate passphrase click and enter the password you just provided.
You can now encrypt the desired data by the files or even an entire folder to the icon Drag&Drop on the main window. Then confirm with Encrypt. Currently seen channel (with Passphrase) a is active, Challenger will automatically use that channel's password. The files involved are given the extension cha and, unlike with AES Crypt, the original data is also 'wiped' at the same time. If you want to decrypt cha files, drag them to Drag&Drop, click on Decrypt and enter the password if prompted.
03 Challenger: Channels
There are eight channels available in Challenger and each channel can be seen as a repository that is protected with a different password each time. Via the button Manage passphrases link a password to a selected channel. If you also want to use channel B, it would be a good idea to replace the default password (Berlin) with your own copy.
You may have noticed that channels A and B are “Masterphrase” channels, while the other channels (C to H) are regular “Pasphrase” channels. This means that anyone who knows the password of A and/or B automatically also gains access to the data that has been encrypted with (the password of) one of the other channels. The reverse is not true: the password of channel C, for example, can only be used for that one channel. This makes possible scenarios where parents or employers know a 'master phrase', but the children or employees only know a regular 'pass phrase'.
Also useful to know: it is perfectly possible to encrypt a drive (sletter) with Challenger in one go. The files in this drive will be encrypted separately.
04 VeraCrypt: Volumes
If it is indeed your intention to encrypt an entire disk (partition), then you better look for a tool like the free VeraCrypt (available for Windows, macOS and Linux). We're looking at the Windows variant here. Veracrypt is the unofficial successor to the defunct and ever so popular TrueCrypt.
You can also encrypt your system partition with Veracrypt, but since you probably mainly want to protect your data partition, we limit ourselves to that.
After installation, launch VeraCrypt and press the button Make volume. Then select Encrypt a non-system partition/drive, Press Next one and choose Default VeraCrypt volume. Another possibility is another Hidden VeraCrypt volume: that is a volume that nestles completely inside another, non-hidden volume. Depending on the password you provide, VeraCrypt will mount the outermost unhidden volume or the innermost hidden volume. If you are ever forced to reveal the password, you will of course only reveal the password of the outer volume: it contains dummy or non-privacy sensitive data.
05 VeraCrypt: Formatting
We opt for a standard volume here. The next step is logically to indicate the desired volume, which can also be a USB stick. Select after your confirmation Create and format encrypted volume. However, keep in mind that any existing files will be overwritten with randomly generated data! If necessary, you must first save it to another location and restore it after creating the volume, so that your data is still encrypted. Press . again Next one and leave it alone AES if Coding Algorithm selected – a combination of several algorithms is also possible. Also the Hash algorithm can you leave it set to SHA-512. Press again Next one (2x) and enter a complex password (2x). Choose Yes if you want to put files larger than 4 GB on this volume so that VeraCrypt can provide a custom file system. In the next window, move the mouse pointer randomly several times. If necessary, put a check next to Quick format after which you click format clicks. Are you sure of your case, confirm with Yes and wait for the formatting to finish.
06 VeraCrypt: (un)pairing
Confirm with OK and with Close, which will take you back to the main VeraCrypt window. In the column station select a free drive letter and click Select device. Refer to the desired volume – which in the meantime can no longer be accessed by the Explorer; if you do try, don't heed the suggestion to format it - and hit the button Couple, after which you enter the password and confirm with OK. Moments later, VeraCrypt has attached your volume to that drive letter. As long as this link is active, you can also access the volume from Explorer: all data you place here will be automatically encrypted. Do you break the link with disconnect, then all data on that volume will be instantly inaccessible again.
07 VeraCrypt: portable
As mentioned in tip 05, you can also encrypt a complete USB stick with VeraCrypt. If you also want to access that encrypted stick on other computers on which VeraCrypt is not installed, you should proceed differently. You choose in the creation wizard Create an encrypted file container, after which you join Volume Location enter a non-existent file name on the stick. After your confirmation, set a suitable volume size and follow the further instructions of the wizard.
The stick should also contain some other files. Make sure the volume is mounted on the stick (see tip 06), open the menu Tools and choose Create Traveler disk. Refer to (the root folder of) the USB stick with the button To leaf through; optionally check the option Launch VeraCrypt on at AutoRun configuration – depending on the Windows configuration on the device, VeraCrypt will then start automatically after plugging in the stick. Confirm with the button Create and close the window. However, keep in mind that you must have administrator rights on the device where you plug in the stick to be able to work with VeraCrypt in portable mode.
BitLocker
If you have Windows Pro, Enterprise or Education, you do not necessarily have to use an external tool to encrypt a (system) partition or a USB stick. You can use the standard supplied BitLocker. You activate this function as follows. Open the Windows Control Panel, go to the section System and Security, click on BitLocker Drive Encryption and select at the desired station Enable BitLocker. If you opt for a removable storage medium, such as a USB stick, you will notice that the technology is called BitLocker To Go (what's in a name). A dialog box will now appear in which you follow the further instructions. This means that you enter a password that you store somewhere safe and that you indicate whether you encrypt the entire disk or only the used disk space. Finally, press the button Start with Encrypt.
If you want to encrypt your system partition, your computer must in principle have a TPM module. If BitLocker complains about this, you can also solve it with software. Instructions for this can be found online.
08 USB stick
Do you find the method of VeraCrypt a bit too cumbersome to securely encrypt your USB stick, or does your stick not provide a hardware solution to encrypt your data (protected with a fingerprint or with a number pad, as with the Corsair Padlock)? Then you can also get away with a tool like Rohos Mini Drive or the somewhat older SecurStick. Unlike the portable VeraCrypt, these tools do not require administrator rights.
Rohos Mini Drive creates a virtual partition, encrypted with AES-256, which can be accessed via its own drive letter after entering the password. The free version does limit you to a partition of up to 8 GB.
SecurStick works completely differently (available for 32- and 64-bit Windows, macOS and Linux). You place the exe file on your stick and you start it from there. Your browser will now automatically open the local page //127.0.0.1/login, as SecurStick installs itself as a WebDAV server. Once you enter a password, an AES 256-bit encrypted container is created on your stick. After your confirmation, you can access it via your browser (via //localhost/X) or via the Explorer. This size of the container automatically adapts to the data placed in it.
09 Cryptomator: start
Chances are, of course, that you don't keep all your data exclusively locally and that you use one or more cloud storage services. Some providers do allow you to encrypt that data, but in most cases the provider (also) has the decryption key in their hands. If you're not comfortable with that, consider a free tool like Cryptomator (available for Windows, macOS, Linux). This ensures that the data in your local sync folder is encrypted before it is sent to the cloud storage service. Here we briefly review the Windows variant of Cryptomator. The installation is done with a few mouse clicks and when you start the program for the first time, the window is empty. Logical, because you first have to create a 'safe'.
10 Cryptomator: Vault
To do this, click the plus button and select Create New Vault. An Explorer window will appear pointing you to a folder. This can be a standard folder on your drive, but just as well a (sub)folder within the sync folder of your cloud storage service, such as Dropbox, OneDrive or Google Drive.
Provide an appropriate file name for your vault, click on Save, enter a strong password and confirm with Create vault. As soon as you enter the password and Unlock safe pressed, the vault becomes available as a virtual drive in the Explorer. The drive letter is automatically assigned unless you click the More options provides a different letter.
This function is also available via WebDAV: select the safe, click the arrow next to lock safe and choose Copy WebDAV URL. You can then paste this url into the address bar of your Explorer. By default this will be something like //localhost:42427//, but you can still change the port number via the gear icon at the bottom of your vault overview.
as soon as you click lock safe click, you will only see AES 256-bit encrypted data. Similarly, you can now create other vaults, including for other cloud storage services.
