Encryption is the process of securing information by translating it into a sort of computer code that is unreadable to anyone not possessing the right credentials, passwords or other authentication means to access this information. This code can theoretically be cracked or broken but strong encryption methods are nearly impervious to such manipulation.
Encryption of data not only entails securing it on local workstations or remote servers, but it must also protect the data when in transit meaning being accessed or transmitted from one party or entity to another.
SEE: Security incident response: Critical steps for cyberattack recovery (TechRepublic Premium)
Securing data via encryption is useful for businesses and consumers alike, especially as our society becomes more and more digitally oriented. Tax returns, account information, copies of identification, Social Security details, bank statements and more should be carefully kept out of the wrong hands. It’s important to point out that basic device security measures like passwords and biometric authentication, while useful to restrict unauthorized access, aren’t the complete picture when it comes to protecting data.
A Windows laptop that is lost or stolen still by default (if not using BitLocker, which we’ll cover) contains unencrypted data easy to extract if an unauthorized individual simply boots the system from a flash drive containing another operating system or removes the computer’s hard drive and connects it to another system for access.
There are different types of encryptions involving data and network traffic. VPN connections and browsers that access secure websites prefaced with “https://” in the URL use encryption with which the end user or IT department does not have to take any specific action (other than those responsible for administering the web servers or network endpoints and the manner in which they operate). That traffic is protected by default.
The type of encryption I’m discussing in the scope of this article relates to file encryption to secure data accessed either locally or remotely, either on a per-file or per-folder basis or applied to entire disk volumes.
What are file encryption techniques?
Encryption relies on encoding algorithms (also known as ciphers) which scramble data via digital keys (measured in bit sizes) to secure the information. Keys can be symmetric (a single key used by all entities involved) or asymmetric (two keys, known as a public and private key pair) whereby separate entities retain their own private key to decrypt data secured with their public key which is available to all entities. Only the private key can unlock the information.
A common type of cipher is called AES which stands for Advanced Encryption Standard, and a standard digital key used for encryption constitutes 256 bits. This powerful combination of data protection would take billions of years to crack.
On the flip side, data secured with good intentions by passwords, keys or other authentication means which are lost or forgotten can be considered irretrievable, so it’s important to securely track this private information when using encryption and ensure it stays safe.
What is encryption software?
Encryption software handles the task of encrypting data, either on an entire-disk approach or an individual file/set of files fashion.
Many products such as Dropbox use encryption on their own and thus can be used to securely transfer files to other individuals by copying them into your Public folder in Dropbox, right-clicking the file, choosing Copy Dropbox Link, then sending the target person the link.
This does not necessarily obviate the need for additional measures to secure data. Someone else who receives that link may still be able to open the file. If your device credentials are compromised, everything you have that is confidential or private will now be accessible to unauthorized parties. Furthermore, if you share a device with someone who shouldn’t necessarily have access to the information you want to keep private, further steps must be taken, and these software products can help.
The first four products are either bundled with their respective operating systems or free to use (with the exception of the mobile version of the fourth product). Regardless of which encryption software you use, back up your related files first and then test out the functionality to ensure all works as it should.
Best encryption software
BitLocker’s primary strength is whole-disk encryption, though it can be used for individual file encryption with some stipulations I’ll cover below.
BitLocker requires you to use a Microsoft account or join your PC to a domain. If you’re a home user, the first option is obviously the best, and for corporate users the second.
Like just about all things Microsoft, BitLocker can be configured in a corporate environment using Group Policy. These settings allow you to determine which drives to encrypt, how to distribute the related keys (also known as certificates), whether and how to use additional authentication, whether and how to use external media like USB flash drives or smart cards to contain keys or facilitate authentication, denying access to non-BitLocker-protected volumes, password requirements and more.
If you’re an individual consumer user, you can get started by simply right-clicking Start, then searching for BitLocker.
Open Manage BitLocker, and then you will be taken to a screen similar to the following:
In order to use BitLocker to encrypt the system drive (C: in this case) your computer must be equipped with a Trusted Platform Module capable of supporting this feature. If so, when you click Turn on BitLocker, you’ll be given the choice of using a password or a smart card to unlock the drive and then to save your related recovery key to a Microsoft account, save it to a file or print it out. You can then proceed with the encryption process.
If you receive an error trying to encrypt the system drive, research the BIOS details of your particular system for how to turn on this feature as it may be disabled; the option may be termed “Secure Boot” or something related, but every manufacturer may have different settings.
Individual file encryption is not available in Windows 10 Home. For Windows 10 Professional and above, you can right-click files, choose Properties, go to Advanced, check off Encrypt Contents To Secure Data and then choose the option to back up the corresponding key, which again is really an SSL certificate, either locally or to an external location.
I recommend the latter for proper safekeeping. This key is needed to open the file, and if your file is backed up elsewhere and your operating system damaged or erased, that key will be required for access.
Platforms/operating systems: Windows
Price: Free. It is included within the operating system.
Apple FileVault is the iOS counterpart to BitLocker and works in much the same way. It can encrypt your entire system drive but not individual files/folders. However, you can use the Disk Utility function to achieve that end, and it will create an encrypted container in the form of a .dmg file. You can then back up this file similar to how you would work with VeraCrypt or Cryptomator files (see below).
To turn FileVault on, click the Apple menu, go to System Preferences, then Security & Privacy.
Click the FileVault tab, enter the appropriate administrator credentials then click Turn On FileVault.
If there are other user accounts on this system, you’ll be asked to enable access per user.
You can choose whether to allow your iCloud account to unlock the disk (recommended) or to create an individual recovery key you’ll need for access.
Platforms/operating systems: Mac
Price: Free. It is included with the operating system.
VeraCrypt is a product I’ve worked with extensively from a consumer standpoint – in fact, I use it every day. You can use VeraCrypt to encrypt your entire operating system, specific volumes and partitions or—in my case—to create encrypted file containers which you can then access and mount like typical drive letters, as shown in the screenshot.
These containers are set up via the software for whatever size you specify. I have set up 250GB containers, but I generally prefer to stick to containers 50GB or less as I keep these in Dropbox, and that’s the current maximum file size limit.
However, try to stick to smaller containers, as I do for my financial information, since 50GB containers will take much longer to upload and download from Dropbox than, say, a 5GB container, which works well for my tax documents.
VeraCrypt can be run in portable mode, which makes it handy to use on the fly. It relies by default on AES encryption, and access is controlled through passwords or keyfiles.
One important option to note about VeraCrypt is that you can set a timeout option to dismount volumes after a certain period of inactivity under Settings | Preferences | Auto-Dismount controls. I specified a 60-minute auto-dismount option so my financial data will be secured after an hour that didn’t access it.
It is possible to share encrypted containers, depending on your cloud storage options; you likely won’t want (nor be able to) email them to recipients but can use an online storage provider to arrange access for others. There is no direct cloud storage functionality in VeraCrypt.
Platforms/operating systems: Windows, Mac, Linux. There is no direct VeraCrypt mobile client, but the EDS Lite Android app can be used to open container files.
Price: Free for consumers and businesses.
Cryptomator is much like VeraCrypt but relies exclusively on the concept of vaults as opposed to containers, both of which are encrypted objects intended to store files. It also doesn’t allow sharing data with others other than the principle of sending someone your vault and the associated password. Like VeraCrypt, Cryptomator has no direct cloud storage functionality.
The principles remain the same between the two products, however. You unlock your vault, access or update your files and folders therein, and then close your vault. The vault can then be backed up to the destination of your choice.
Platforms/operating systems: Windows, Apple, Linux, Android, iOS
Trend Micro Endpoint Encryption
The first of our standalone business-oriented standalone products, Trend Micro’s Endpoint Encryption can encrypt full volumes as well as files and folders. It features a centralized management functionality (including key management) that can integrate with Active Directory to monitor the protection of data, implement policies and ensure the encryption of data at rest and in transit.
It also has the ability to integrate management features with BitLocker and FileVault as well as other Trend Micro offerings such as endpoint protection.
One noteworthy feature is the option to remotely lock, reset or wipe lost or stolen devices even before they boot up, making it a powerful tool to keep data out of unauthorized hands.
You can get a free 30-day trial of Trend Micro’s Endpoint Encryption.
Platforms/operating systems: Windows, Mac
AxCrypt is a worthy contender with the ability to share files within the app, access files securely from mobile devices, secure files online via cloud storage, utilize secured files and folders and handle password management/generation and support.
The basic viewer can only encrypt and decrypt your own files, whereas the standard client for private users offers the more robust features described above. There is also a business client, which is required for company usage and features business priority support and administrative features.
Platforms/operating systems: Windows, Mac, Android and iOS. Only the Windows client offers the full range of features; the Mac and mobile clients can only use the viewer option.
Price: The basic viewer (single user) is free. The standard client is $3.75 per month, and the business client is $9.92 per month.
Broadcom Symantec Encryption
Symantec’s encryption offering, now owned by Broadcom, is a reliable workhorse I have used for years. It faithfully protected hundreds of laptops I administered, and never once did we have any issue with using the product so long as the passphrases used to enact full-disk encryption were carefully retained and applied. Broadcom also offers the option to encrypt file shares, uses PGP Zip to encrypt individual files and folders, and offers powerful command-line options to enact encryption for file transfers and data-processing applications.
Like Trend Micro, it has the ability to conduct centralized workstation/device management and can integrate management features with BitLocker and FileVault. Single sign-on access helps users rapidly get to their data.
There is also an email encryption feature that can be used to send secure messages to recipients as well as integrate with Symantec Data Loss Prevention features. It’s worth pointing out that with ever-growing file sizes and ever-shrinking maximum file size limits associated with email transmissions that this feature is best suited for individual files, rather than a slew of documents.
I was unable to locate an available free trial of this product.
Platforms/operating systems: Windows, Mac, Android and iOS.
Sophos only offers full-disk encryption via PIN or password, but sharing sensitive files via password is also an available option. It includes a cloud-hosted centralized console management offering and a strong emphasis on compliance enforcement and reporting. Like Trend Micro and Symantec, it can integrate management features with BitLocker and FileVault.
A self-service PIN or password recovery option is a nice feature to lower stress for IT departments not having to deal with forgotten passwords, and Windows clients (not Mac) can be prompted routinely to update their PINs or passwords.
You can get a free trial of Sophos.
Platforms/operating systems: Windows, Mac.
Price: While Sophos recommends interested parties contact the company for pricing, as a baseline EnterpriseAV.com offers a per user license cost of $73.87 for a 200-499 user-license quantity.
How to pick the encryption software that’s right for you
Of the eight products I reviewed, two come bundled with the operating system, two are entirely free, one offers free basic functionality, and two more offer demo versions, so trying them out in turn where applicable to your operating system is an excellent idea.
If you simply want all your files encrypted across the board, BitLocker or FileVault will do the job just fine with a minimum of hassle. If you want to protect individual files without sharing them with others, then VeraCrypt, Cryptomator and AxCrypt will suffice without headaches.
For corporate environments or businesses with file sharing or compliance-related needs, Trend Micro, Symantec and Sophos will serve as powerful tools, and I would assign the first two products in the category of enterprise class organizations, whereas Sophos seems better suited for the smaller- or mid-sized shops.
I am more inclined to choose vendors that offer free product trials as well as clear-cut, no-nonsense pricing quotes immediately available on the internet, but it’s also worth pointing out that the vendors that keep their pricing cards close to the vest may also be open to aggressive negotiation to bring down costs, especially at volume discounts.