Microsoft Folder Encryption

The Encrypting File System (EFS) on MicrosoftWindows is a feature introduced in version 3.0 of NTFS[1] that provides filesystem-level encryption. The technology enables files to be transparentlyencrypted to protect confidential data from attackers with physical access to the computer.

This post describes 2 ways to encrypt or decrypt fileds and folders with Encrypting File System (EFS) in Windows 10. EFS is a good way to protect individual files and folder from unwanted access. Nov 09, 2018  Download this app from Microsoft Store for Windows 10. See screenshots, read the latest customer reviews, and compare ratings for Secure Folder, Files and Encrypt. Download this app from Microsoft Store for Windows 10. The application uses the military standard AES-256 Bit key as encryption technology so no one will be able to decrypt your. How to encrypt files and folders in Windows 10, 8, or 7 EFS. In Windows Explorer, right-click on the file or folder you wish to encrypt. You can choose to unlock your drive during startup by inserting a USB flash drive. Third-party software to encrypt files and folders in Windows. Encrypting File System Encrypting File System (EFS) is a file encryption service in Windows 10 Pro, Enterprise, and Education editions. It's very easy to use, often requiring just a couple of.

Aug 29, 2018  Especially it includes very tight or advanced password security in the form of Same PC method. Inside asynchronous multi tier tight secured encryption. With this encryption the original file totally converting to a different format or style with a repetition of 3-4 common bytes stacking inside without storing password anywhere. Jul 30, 2016  Microsoft switched to AES encryption in Office 2007, so if you’re using an earlier version of Office, the encryption will be nowhere near as secure. To password protect a document in Office 2010 or later, click the File menu, click the Protect Document button.

EFS is available in all versions of Windows developed for business environments (see Supported operating systems below) from Windows 2000 onwards.[2] By default, no files are encrypted, but encryption can be enabled by users on a per-file, per-directory, or per-drive basis. Some EFS settings can also be mandated via Group Policy in Windows domain environments.[3]

Cryptographic file system implementations for other operating systems are available, but the Microsoft EFS is not compatible with any of them.[4] See also the list of cryptographic file systems.

  • 3Security
    • 3.1Vulnerabilities
  • 4Supported operating systems

Basic ideas[edit]

When an operating system is running on a system without file encryption, access to files normally goes through OS-controlled user authentication and access control lists. However, if an attacker gains physical access to the computer, this barrier can be easily circumvented. One way, for example, would be to remove the disk and put it in another computer with an OS installed that can read the filesystem; another, would be to simply reboot the computer from a boot CD containing an OS that is suitable for accessing the local filesystem.

The most widely accepted solution to this is to store the files encrypted on the physical media (disks, USB pen drives, tapes, CDs and so on).

In the Microsoft Windows family of operating systems EFS enables this measure, although on NTFS drives only, and does so using a combination of public key cryptography and symmetric key cryptography to make decrypting the files extremely difficult without the correct key.

However, the cryptography keys for EFS are in practice protected by the user account password, and are therefore susceptible to most password attacks. In other words, the encryption of a file is only as strong as the password to unlock the decryption key.

Operation[edit]

Operation of Encrypting File System

EFS works by encrypting a file with a bulk symmetric key, also known as the File Encryption Key, or FEK. It uses a symmetric encryption algorithm because it takes less time to encrypt and decrypt large amounts of data than if an asymmetric key cipher is used. The symmetric encryption algorithm used will vary depending on the version and configuration of the operating system; see Algorithms used by Windows version below. The FEK (the symmetric key that is used to encrypt the file) is then encrypted with a public key that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS alternative data stream of the encrypted file.[5] To decrypt the file, the EFS component driver uses the private key that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. The EFS component driver then uses the symmetric key to decrypt the file. Because the encryption & decryption operations are performed at a layer below NTFS, it is transparent to the user and all their applications.

Folders whose contents are to be encrypted by the file system are marked with an encryption attribute. The EFS component driver treats this encryption attribute in a way that is analogous to the inheritance of file permissions in NTFS: if a folder is marked for encryption, then by default all files and subfolders that are created under the folder are also encrypted. When encrypted files are moved within an NTFS volume, the files remain encrypted. However, there are a number of occasions in which the file could be decrypted without the user explicitly asking Windows to do so.

Files and folders are decrypted before being copied to a volume formatted with another file system, like FAT32. Finally, when encrypted files are copied over the network using the SMB/CIFS protocol, the files are decrypted before they are sent over the network.

The most significant way of preventing the decryption-on-copy is using backup applications that are aware of the 'Raw' APIs. Backup applications that have implemented these Raw APIs will simply copy the encrypted file stream and the $EFS alternative data stream as a single file. In other words, the files are 'copied' (e.g. into the backup file) in encrypted form, and are not decrypted during backup.

Starting with Windows Vista, a user's private key can be stored on a smart card; Data Recovery Agent (DRA) keys can also be stored on a smart card.[6]

Security[edit]

Vulnerabilities[edit]

Microsoft Folder Encryption Software

Two significant security vulnerabilities existed in Windows 2000 EFS, and have been variously targeted since.

Decrypting files using the local Administrator account[edit]

In Windows 2000, the local administrator is the default Data Recovery Agent, capable of decrypting all files encrypted with EFS by any local user.EFS in Windows 2000 cannot function without a recovery agent, so there is always someone who can decrypt encrypted files of the users. Any non-domain-joined Windows 2000 computer will be susceptible to unauthorized EFS decryption by anyone who can take over the local Administrator account, which is trivial given many tools available freely on the Internet.[7]

In Windows XP and later, there is no default local Data Recovery Agent and no requirement to have one. Setting SYSKEY to mode 2 or 3 (syskey typed in during bootup or stored on a floppy disk) will mitigate the risk of unauthorized decryption through the local Administrator account. This is because the local user's password hashes, stored in the SAM file, are encrypted with the Syskey, and the Syskey value is not available to an offline attacker who does not possess the Syskey passphrase/floppy.

Accessing private key via password reset[edit]

In Windows 2000, the user's RSA private key is not only stored in a truly encrypted form, but there is also a backup of the user's RSA private key that is more weakly protected. If an attacker gains physical access to the Windows 2000 computer and resets a local user account's password,[7] the attacker can log in as that user (or recovery agent) and gain access to the RSA private key which can decrypt all files. This is because the backup of the user's RSA private key is encrypted with an LSA secret, which is accessible to any attacker who can elevate their login to LocalSystem (again, trivial given numerous tools on the Internet).

In Windows XP and beyond, the user's RSA private key is backed up using an offline public key whose matching private key is stored in one of two places: the password reset disk (if Windows XP is not a member of a domain) or in the Active Directory (if Windows XP is a member of a domain). This means that an attacker who can authenticate to Windows XP as LocalSystem still does not have access to a decryption key stored on the PC's hard drive.

In Windows 2000, XP or later, the user's RSA private key is encrypted using a hash of the user's NTLM password hash plus the user name – use of a salted hash makes it extremely difficult to reverse the process and recover the private key without knowing the user's passphrase. Also, again, setting Syskey to mode 2 or 3 (Syskey typed in during bootup or stored on a floppy disk) will mitigate this attack, since the local user's password hash will be stored encrypted in the SAM file.

Other issues[edit]

Once a user is logged on successfully, access to his own EFS encrypted data requires no additional authentication, decryption happens transparently. Thus, any compromise of the user's password automatically leads to access to that data. Windows can store versions of user account passphrases with reversible encryption, though this is no longer default behaviour; it can also be configured to store (and will by default on the original version of Windows XP and lower) Lan Manager hashes of the local user account passphrases, which can be attacked and broken easily. It also stores local user account passphrases as NTLM hashes, which can be fairly easily attacked using 'rainbow tables' if the passwords are weak (Windows Vista and later versions don't allow weak passwords by default). To mitigate the threat of trivial brute-force attacks on local passphrases, older versions of Windows need to be configured (using the Security Settings portion of Group Policy) to never store LM hashes, and of course, to not enable Autologon (which stores plaintext passphrases in the registry). Further, using local user account passphrases over 14 characters long prevents Windows from storing an LM hash in the SAM – and has the added benefit of making brute-force attacks against the NTLM hash harder.

When encrypting files with EFS – when converting plaintext files to encrypted files – the plaintext files are not wiped, but simply deleted (i.e. data blocks flagged as 'not in use' in the filesystem). This means that, unless they for example happen to be stored on an SSD with TRIM support, they can be easily recovered unless they are overwritten. To fully mitigate known, non-challenging technical attacks against EFS, you should configure encryption at the folder level (so that all temporary files like Word document backups which are created in these directories are also encrypted). When you wish to encrypt individual files, copy them to an encrypted folder or encrypt the file 'in place', and then securely wipe the disk volume. You can use the Windows Cipher utility (with the /W option) to wipe free space including that which still contains deleted plaintext files; various third-party utilities may work as well.[8]

Anyone who can gain Administrators access can overwrite, override or change the Data Recovery Agent configuration. This is a very serious issue, since an attacker can for example hack the Administrator account (using third-party tools), set whatever DRA certificate they want as the Data Recovery Agent and wait. This is sometimes referred to as a two-stage attack, which is a significantly different scenario than the risk due to a lost or stolen PC, but which highlights the risk due to malicious insiders.

When the user encrypts files after the first stage of such an attack, the FEKs are automatically encrypted with the designated DRA's public key. The attacker only needs to access the computer once more as Administrator to gain full access to all those subsequently EFS-encrypted files. Even using Syskey mode 2 or 3 does not protect against this attack, because the attacker could back up the encrypted files offline, restore them elsewhere and use the DRA's private key to decrypt the files. Of course, if such a malicious insider can gain physical access to the computer, you might consider all security features to be irrelevant, because they could also install rootkits, software or even hardware keyloggers etc. on the computer – which is potentially much more interesting and effective than overwriting DRA policy.

Folder

Recovery[edit]

Files encrypted with EFS can only be decrypted by using the RSA private key(s) matching the previously used public key(s). The stored copy of the user's private key is ultimately protected by the user's logon password. Accessing encrypted files from outside Windows with other operating systems (Linux, for example) is not possible — not least of which because there is currently no third party EFS component driver. Further, using special tools to reset the user's login password will render it impossible to decrypt the user's private key and thus useless for gaining access to the user's encrypted files. The significance of this is occasionally lost on users, resulting in data loss if a user forgets his or her password, or fails to back up the encryption key. This led to coining of the term 'delayed recycle bin', to describe the seeming inevitability of data loss if an inexperienced user encrypts his or her files.

If EFS is configured to use keys issued by a Public Key Infrastructure and the PKI is configured to enable Key Archival and Recovery, encrypted files can be recovered by recovering the private key first.

Keys[edit]

  • user password (or smart card private key): used to generate a decryption key to decrypt the user's DPAPI Master Key
  • DPAPI Master Key: used to decrypt the user's RSA private key(s)
  • RSA private key: used to decrypt each file's FEK
  • File Encryption Key (FEK): used to decrypt/encrypt each file's data (in the primary NTFS stream)
  • SYSKEY: used to encrypt the cached domain verifier and the password hashes stored in the SAM

Supported operating systems[edit]

Windows[edit]

  • Windows 2000 Professional, Server, Advanced Server and Datacenter editions
  • Windows XP Professional, also in Tablet PC Edition, Media Center Edition and x64 Edition
  • Windows Server 2003 and Windows Server 2003 R2, in both x86 and x64 editions
  • Windows Vista Business, Enterprise and Ultimate editions[9]
  • Windows 7 Professional, Enterprise and Ultimate editions
  • Windows Server 2008 and Windows Server 2008 R2
  • Windows 8 and 8.1 Pro and Enterprise editions
  • Windows Server 2012 and Windows Server 2012 R2
  • Windows 10 Pro, Enterprise, and Education editions.

Other operating systems[edit]

Microsoft Folder Encryption Download

No other operating systems or file systems have native support for EFS.

New features available by Windows version[edit]

Windows XP
  • Encryption of the Client-Side Cache (Offline Files database)
  • Protection of DPAPI Master Key backup using domain-wide public key
  • Autoenrollment of user certificates (including EFS certificates)
  • Multiple-user (shared) access to encrypted files (on a file-by-file basis) and revocation checking on certificates used when sharing encrypted files
  • Encrypted files can be shown in an alternative color (green by default)
  • No requirement for mandatory Recovery Agent
  • Warning when files may be getting silently decrypted when moving to an unsupported file system
  • Password reset disk
  • EFS over WebDAV and remote encryption for servers delegated in Active Directory
Windows XP SP1
  • Support for and default use of AES-256 symmetric encryption algorithm for all EFS-encrypted files
Windows XP SP2 + KB 912761
  • Prevent enrollment of self-signed EFS certificates
Windows Server 2003
  • Digital Identity Management Service
  • Enforcement of RSAKeyLength setting for enforcing a minimum key length when enrolling self-signed EFS certificates
Windows Vista[10] and Windows Server 2008[11][12]
  • Per-user encryption of Client-Side Cache (Offline Files)
  • Support for storing (user or DRA) RSA private keys on a PC/SC smart card
  • EFS Re-Key Wizard
  • EFS Key backup prompts
  • Support for deriving DPAPI Master Key from PC/SC smart card
  • Support for encryption of pagefile.sys
  • Protection of EFS-related secrets using BitLocker (Enterprise or Ultimate edition of Windows Vista)[13][14]
  • Group Policy controls to enforce
    • Encryption of Documents folder
    • Offline files encryption
    • Indexing of encrypted files
    • Requiring smart card for EFS
    • Creating a caching-capable user key from smart card
    • Displaying a key backup notification when a user key is created or changed
    • Specifying the certificate template used for enrolling EFS certificates automatically
Windows Server 2008[12]
  • EFS self-signed certificates enrolled on the Windows Server 2008 server will default to 2048-bit RSA key length
  • All EFS templates (user and data recovery agent certificates) default to 2048-bit RSA key length
Windows 7 and Windows Server 2008 R2[15]
  • Elliptic-curve cryptographic algorithms (ECC). Windows 7 supports a mixed mode operation of ECC and RSA algorithms for backward compatibility
  • EFS self-signed certificates, when using ECC, will use 256-bit key by default.
  • EFS can be configured to use 1K/2k/4k/8k/16k-bit keys when using self-signed RSA certificates, or 256/384/521-bit keys when using ECC certificates.
Windows 10 version 1607 and Windows Server 2016
  • Add EFS support on FAT and exFAT.[16]

Algorithms used by Windows version[edit]

Windows EFS supports a range of symmetric encryption algorithms, depending on the version of Windows in use when the files are encrypted:

Operating systemDefault algorithmOther algorithms
Windows 2000DESX(none)
Windows XP RTMDESXTriple DES
Windows XP SP1AESTriple DES, DESX
Windows Server 2003AESTriple DES, DESX[17]
Windows VistaAESTriple DES, DESX
Windows Server 2008AESTriple DES, DESX (?)
Windows 7
Windows Server 2008 R2		Mixed (AES, SHA, and ECC)Triple DES, DESX

See also[edit]

References[edit]

  1. ^'File Encryption (Windows)'. Microsoft. Retrieved 2010-01-11.
  2. ^EFS is available on Windows 2000 Server and Workstation, on Windows XP Professional, on Windows Server 2003 and 2008, and on Windows Vista and Windows 7 Business, Enterprise and Ultimate.
    EFS is not available on Windows XP Home Edition, nor on the Starter, Basic, and Home Premium editions of Windows Vista and Windows 7. It could not be implemented in the Windows 9x series of operating systems, since they did not natively support NTFS, which is the foundation for EFS.
  3. ^'Encrypting File System'. Microsoft. 1 May 2008. Retrieved 24 August 2011.
  4. ^'Cryptographic Filesystems, Part One: Design and Implementation'. Security Focus. Retrieved 2010-01-11.
  5. ^'Encrypting File System'.
  6. ^Chris Corio (May 2006). 'First Look: New Security Features in Windows Vista'. TechNet Magazine. Microsoft. Archived from the original on 2006-11-10. Retrieved 2006-11-06.
  7. ^ abntpasswd, available since 1997Archived February 12, 2016, at the Wayback Machine
  8. ^'The Encrypting File System'. technet.microsoft.com.
  9. ^'Windows - Official Site for Microsoft Windows 10 Home & Pro OS, laptops, PCs, tablets & more'. www.microsoft.com. Archived from the original on 2007-02-03. Retrieved 2008-01-20.
  10. ^Kim Mikkelsen (2006-09-05). 'Windows Vista Session 31: Rights Management Services and Encrypting File System'(PDF). presentation. Microsoft. Retrieved 2007-10-02.[dead link]
  11. ^'Encrypting File System'. documentation. Microsoft. 2007-04-30. Archived from the original on 2014-01-20. Retrieved 2007-11-06.
  12. ^ ab'Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008: Encrypting File System'. documentation. Microsoft. 2007-09-01. Archived from the original on 2008-03-25. Retrieved 2007-11-06.
  13. ^Scott Field (June 2006). 'Microsoft Windows Vista Security Enhancements'(DOC). whitepaper. Microsoft. Retrieved 2007-06-14.
  14. ^Microsoft Corporation (2006-11-30). 'Data Communication Protocol'. patent. Microsoft. Retrieved 2007-06-14.
  15. ^'Changes in EFS'. Microsoft TechNet. Retrieved 2009-05-02.
  16. ^'[MS-FSCC]: Appendix B: Product Behavior'. Microsoft. 2017-09-15. Retrieved 2017-10-02. Support for FAT and EXFAT was added in Windows 10 v1607 operating system and Windows Server 2016 and subsequent.
  17. ^Muller, Randy (May 2006). 'How IT Works: Encrypting File System'. TechNet Magazine. Microsoft. Retrieved 2009-05-22.

Further reading[edit]

  • 'Implementing the Encrypting File System in Windows 2000'. Windows 2000 Evaluated Configuration Administrators Guide. Microsoft. Retrieved 20 December 2014.
  • Bragg, Roberta. 'The Encrypting File System'. TechNet. Microsoft.
  • 'Encrypting File System (Windows Server 2008, Windows Vista)'. TechNet. Microsoft. February 25, 2009.
  • 'Encrypting File System in Windows XP and Windows Server 2003'. TechNet. Microsoft. April 11, 2003.
  • Network Associates Laboratories. 'How to Use the Encrypting File System (Windows Server 2003, Windows XP Professional)'. MSDN. Microsoft.
  • 'Using Encrypting File System'. Windows XP Resource Kit. Microsoft. November 3, 2005.
  • 'Encrypting File System'. Windows 2000 Resource Kit. Microsoft.
  • 'How EFS Works'. Windows 2000 Resource Kit. Microsoft.
Retrieved from 'https://en.wikipedia.org/w/index.php?title=Encrypting_File_System&oldid=916634509'

Keeping your personal data safe doesn't have to be difficult—as long as you keep the sensitive stuff encrypted and under your control. That's why this week we're looking at the five best file encryption tools you can use to encrypt your data locally so only you have the key.

Earlier in the week we asked you for your favorite file encryption tools, and you gave us tons of great nominations, but as always, we only have room for the top five.

Advertisement

What's The Best File Encryption Tool?

Times have changed, and more than a few tools have come and gone that were designed to encrypt your …

Read more Read

For the purposes of our roundup, we're focusing on desktop file encryption tools - the ones you use on your own computer to encrypt your own private data, not cloud services that promise to encrypt your data, or business services that say they offer encryption. The goal here is to find the best tools you can use to lock down your sensitive files—whether they're photos, financial documents, personal backups, or anything else—and keep them locked down so only you have the key. For those unfamiliar with the topic, we have a great guide on how encryption works, and how you can use it to keep your own data safe.

A Beginner's Guide to Encryption: What It Is and How to Set it Up

You’ve probably heard the word “encryption” a million times before, but if you still aren’t exactly …

Read more Read

With that out of the way, here are your top five, in no particular order:

VeraCrypt (Windows/OS X/Linux)

Advertisement

VeraCrypt is a fork of and a successor to TrueCrypt, which ceased development last year (more on them later.) The development team claims they've addressed some of the issues that were raised during TrueCrypt's initial security audit, and like the original, it's free, with versions available for Windows, OS X, and Linux. If you're looking for a file encryption tool that works like and reminds you of TrueCrypt but isn't exactly TrueCrypt, this is it. VeraCrypt supports AES (the most commonly used), TwoFish, and Serpent encryption ciphers, supports the creation of hidden, encrypted volumes within other volumes. Its code is available to review, although it's not strictly open source (because so much of its codebase came from TrueCrypt.) The tool is also under constant development, with regular security updates and an independent audit in the planning stages (according to the developers.)

Those of you who nominated VeraCrypt praised it for being an on-the-fly encryption tool, as in your files are only decrypted when they're needed and they're encrypted at rest at all other times, and most notably for being the spiritual (if not almost literal) successor to TrueCrypt. Many of you praised them for being a strong tool that's simple to use and to the point, even if it's lacking a good-looking interface or tons of bells and whistles. You also noted that VeraCrypt may not support TrueCrypt files and containers, but can convert them to its own format, which makes moving to it easy. You can read more in its nomination thread here.

Advertisement

AxCrypt (Windows)

Advertisement

AxCrypt is a free, open source, GNU GPL-licensed encryption tool for Windows that prides itself on being simple, efficient, and easy to use. It integrates nicely with the Windows shell, so you can right-click a file to encrypt it, or even configure 'timed,' executable encryptions, so the file is locked down for a specific period of time and will self-decrypt later, or when its intended recipient gets it. Files with AxCrypt can be decrypted on demand or kept decrypted while they're in use, and then automatically re-encrypted when they're modified or closed. It's fast, too, and allows you to select an entire folder or just a large group of files and encrypt them all with a single click. It's entirely a file encryption tool however, meaning creating encrypted volumes or drives is out of its capabilities. It supports 128-bit AES encryption only, offers protection against brute force cracking attempts, and is exceptionally lightweight (less than 1MB.)

Those of you who nominated AxCrypt noted that it's really easy to use and easy to integrate into your workflow, thanks to its shell support. If you're eager for more options, it also has a ton of command line options, so you can fire up the command prompt in Windows and perform more complex actions—or multiple actions at once. It may not support the strongest or most varied encryption methods available, but if you're looking to keep your data safe from most threats, it's a simple tool that can lend a little security that your data—like files stored in the cloud on Dropbox or iCloud, for example—are secure and convenient to access at the same time. You can read more in this nomination thread here and here.

Advertisement

BitLocker (Windows)

Advertisement

BitLocker is a full-disk encryption tool built in to Windows Vista and Windows 7 (Ultimate and Enterprise), and into Windows 8 (Pro and Enterprise), as well as Windows Server (2008 and later). It supports AES (128 and 256-bit) encryption, and while it's primarily used for whole-disk encryption, it also supports encrypting other volumes or a virtual drive that can be opened and accessed like any other drive on your computer. It supports multiple authentication mechanisms, including traditional password and PINs, a USB 'key,' and the more controversial Trusted Platform Module (TPM) technology (that uses hardware to integrate keys into devices) that makes encryption and decryption transparent to the user but also comes with a host of its own issues. Either way, BitLocker's integration with Windows (specifically Windows 8 Pro) makes it accessible to many people, and a viable disk encryption tool for individuals looking to protect their data if their laptop or hard drives are lost or stolen, in case their computers are compromised, or a business looking to secure data in the field.

Of course, it goes without saying that BitLocker was a contentious nomination. More than a few of you touted BitLocker's accessibility and ease of use, and many of you even praised its encryption for being strong and difficult to crack. Many of you noted that you switched to BitLocker after the developers of TrueCrypt suggested it. Others, however, brought up the assertion made from privacy advocates that BitLocker is compromised and has backdoors in place for government security agencies (from multiple countries) to decrypt your data. While Microsoft has officially said this isn't true and maintains there's no backdoor in BitLocker (while simultaneously maintaining the code as closed source—but available to review by its partners, which include those agencies), the assertion is enough to make more than a few of you shy away. You can read more about the criticism and controversy at the Wikipedia link above, or in the nomination thread here.

Advertisement

GNU Privacy Guard (Windows/OS X/Linux)

Advertisement

GNU Privacy Guard (GnuPG) is actually an open-source implementation of Pretty Good Privacy (PGP). While you can install the command line version on some operating systems, most people choose from the dozens of frontends and graphical interfaces for it, including the official releases that can encrypt everything from email to ordinary files to entire volumes. All GnuPG tools support multiple encryption types and ciphers, and generally are capable of encrypting individual files one at a time, disk images and volumes, or external drives and connected media. A few of you nominated specific GnuPG front-ends in various threads, like the Windows Gpg4Win, which uses Kleopatra as a certificate manager.

Those of you who nominated GnuPG praised it for being open-source and accessible through dozens of different clients and tools, all of which can offer file encryption as well as other forms of encryption, like robust email encryption for example. The key, however, is finding a front-end or a client that does what you need it to do and works well with your workflow. The screenshot above was taken using GPGTools, an all-in-one GnuPG solution that offers keychain management as well as file, email, and disk encryption for OS X. You can read more in its nomination thread here.

Advertisement

How to Encrypt Your Email and Keep Your Conversations Private

Between constant password breaches and the NSA looking in on everything you do, you've…

Read more Read

7-Zip (Windows/OS X/Linux)

Advertisement

7-Zip is actually a lightweight file archiver—and our favorite archive utility for Windows. Even though it's amazing at compressing and organizing files for easy storage or sending over the internet, it's also a strong file encryption tool, and is capable of turning individual files or entire volumes into encrypted volumes that only your have the keys to. It's completely free, even for commercial use, supports 256-bit AES encryption, and while the official download is Windows only, there are unofficial builds for Linux and OS X systems as well. Most of 7-Zip's code is GNU LGPL licensed and open to review. Compressed and encrypted .7z (or .zip, if you prefer) archives are easily portable and secure, and can be encrypted with passwords and turned into executables that will self-decrypt when they get to their intended recipient. 7-Zip also integrates with the shell of the operating system you're using, making it usually a click away from use. It's also a powerful command line utility.

The Best File Archive Utility for Windows

Windows has a number of good file archiving and unarchiving utilities, and which one you use…

Read more ExcelRead

Advertisement

Those of you who nominated it noted that it may not have the most robust user interface, but it gets the job done, and many of you have it installed anyway specifically for its robust file compression and decompression capabilities. You noted it's fast, flexible, free, and easy to use, and while it may not be the fastest file encryption tool (and it's not capable of whole volume or disk encryption), it gets the job done—especially for encrypting files you need to send to someone else and actually have them be able to access without jumping through too many hoops. Some of you noted that 7-Zip's encrypted volumes are flexible—perhaps too flexible, since new files added to an encrypted archive aren't encrypted (you'd have to extract them all and make a new archive for that), but it's otherwise a minor ding. You can read more in its nomination thread here.

Now that you've seen the top five, it's time to put them to an all-out vote to determine the community favorite.

Advertisement

Honorable Mentions

We have two honorable mentions this week. First and foremost is Disk Utility (OS X), which is bundled with OS X as a disk repair and management tool. Disk Utility can also encrypt drives and volumes, and since OS X can create a compressed volume just by right-clicking a file, series of files, or a folder and selecting 'Compress,' Disk Utility makes encrypting anything you want extremely easy. Plus, it's built in to OS X, so you don't need to install anything else. You can read more about it in its nomination thread here.

Advertisement

Second, we should tip our hats to the venerable old TrueCrypt, our old champion, which actually earned a number of nominations in the call for contenders thread. We covered the meltdown of TrueCrypt when it happened, with the developers abruptly abandoning the project claiming that it's no longer secure, in the middle of their independent security audit. The developers suggested switching to BitLocker, and pushed out a new version that's widely considered compromised. However, the older version, 7.1a, is still widely regarded as safe, even though development on it has been abandoned, and the tool has been left without security updates since then. Even so, security analysts split on whether you should trust TrueCrypt or move on to another encryption utility. Many people stand by it even though it's a dead project, others have built their own projects on top of it (see VeraCrypt, mentioned earlier), and others keep using the last safe version. We can't recommend TrueCrypt anymore ourselves, but you can read more in its nomination thread here, and over at Steve Gibson's page dedicated to TrueCrypt here.

TrueCrypt's Web Site Updates with Ominous Warning, Details Unknown

TrueCrypt, one of our favorite file encryption tools, has abruptly changed its homepage to a…

Read more Read

Advertisement

Have something to say about one of the contenders? Want to make the case for your personal favorite, even if it wasn't included in the list? Remember, the top five are based on your most popular nominations from the call for contenders thread from earlier in the week. Don't just complain about the top five, let us know what your preferred alternative is—and make your case for it—in the discussions below.

The Hive Five is based on reader nominations. As with most Hive Five posts, if your favorite was left out, it didn't get the nominations required in the call for contenders post to make the top five. We understand it's a bit of a popularity contest. Have a suggestion for the Hive Five? Send us an email at tips+hivefive@lifehacker.com!

Advertisement

Title photo by andrey_l (Shutterstock).