Keeping your personal data safe doesn’t have to be difficult—as long as you keep the sensitive stuff encrypted and under your control. That’s why this week we’re looking at the five best file encryption tools you can use to encrypt your data locally so only you have the key.
Earlier in the week we asked you for your favorite file encryption tools, and you gave us tons of great nominations, but as always, we only have room for the top five.
For the purposes of our roundup, we’re focusing on desktop file encryption tools – the ones you use on your own computer to encrypt your own private data, not cloud services that promise to encrypt your data, or business services that say they offer encryption. The goal here is to find the best tools you can use to lock down your sensitive files—whether they’re photos, financial documents, personal backups, or anything else—and keep them locked down so only you have the key. For those unfamiliar with the topic, we have a great guide on how encryption works, and how you can use it to keep your own data safe.
With that out of the way, here are your top five, in no particular order:
VeraCrypt (Windows/OS X/Linux)
VeraCrypt is a fork of and a successor to TrueCrypt, which ceased development last year (more on them later.) The development team claims they’ve addressed some of the issues that were raised during TrueCrypt’s initial security audit, and like the original, it’s free, with versions available for Windows, OS X, and Linux. If you’re looking for a file encryption tool that works like and reminds you of TrueCrypt but isn’t exactly TrueCrypt, this is it. VeraCrypt supports AES (the most commonly used), TwoFish, and Serpent encryption ciphers, supports the creation of hidden, encrypted volumes within other volumes. Its code is available to review, although it’s not strictly open source (because so much of its codebase came from TrueCrypt.) The tool is also under constant development, with regular security updates and an independent audit in the planning stages (according to the developers.)
Those of you who nominated VeraCrypt praised it for being an on-the-fly encryption tool, as in your files are only decrypted when they’re needed and they’re encrypted at rest at all other times, and most notably for being the spiritual (if not almost literal) successor to TrueCrypt. Many of you praised them for being a strong tool that’s simple to use and to the point, even if it’s lacking a good-looking interface or tons of bells and whistles. You also noted that VeraCrypt may not support TrueCrypt files and containers, but can convert them to its own format, which makes moving to it easy. You can read more in its nomination thread here.
AxCrypt is a free, open source, GNU GPL-licensed encryption tool for Windows that prides itself on being simple, efficient, and easy to use. It integrates nicely with the Windows shell, so you can right-click a file to encrypt it, or even configure "timed," executable encryptions, so the file is locked down for a specific period of time and will self-decrypt later, or when its intended recipient gets it. Files with AxCrypt can be decrypted on demand or kept decrypted while they’re in use, and then automatically re-encrypted when they’re modified or closed. It’s fast, too, and allows you to select an entire folder or just a large group of files and encrypt them all with a single click. It’s entirely a file encryption tool however, meaning creating encrypted volumes or drives is out of its capabilities. It supports 128-bit AES encryption only, offers protection against brute force cracking attempts, and is exceptionally lightweight (less than 1MB.)
Those of you who nominated AxCrypt noted that it’s really easy to use and easy to integrate into your workflow, thanks to its shell support. If you’re eager for more options, it also has a ton of command line options, so you can fire up the command prompt in Windows and perform more complex actions—or multiple actions at once. It may not support the strongest or most varied encryption methods available, but if you’re looking to keep your data safe from most threats, it’s a simple tool that can lend a little security that your data—like files stored in the cloud on Dropbox or iCloud, for example—are secure and convenient to access at the same time. You can read more in this nomination thread here and here.
BitLocker is a full-disk encryption tool built in to Windows Vista and Windows 7 (Ultimate and Enterprise), and into Windows 8 (Pro and Enterprise), as well as Windows Server (2008 and later). It supports AES (128 and 256-bit) encryption, and while it’s primarily used for whole-disk encryption, it also supports encrypting other volumes or a virtual drive that can be opened and accessed like any other drive on your computer. It supports multiple authentication mechanisms, including traditional password and PINs, a USB "key," and the more controversial Trusted Platform Module (TPM) technology (that uses hardware to integrate keys into devices) that makes encryption and decryption transparent to the user but also comes with a host of its own issues. Either way, BitLocker’s integration with Windows (specifically Windows 8 Pro) makes it accessible to many people, and a viable disk encryption tool for individuals looking to protect their data if their laptop or hard drives are lost or stolen, in case their computers are compromised, or a business looking to secure data in the field.
Of course, it goes without saying that BitLocker was a contentious nomination. More than a few of you touted BitLocker’s accessibility and ease of use, and many of you even praised its encryption for being strong and difficult to crack. Many of you noted that you switched to BitLocker after the developers of TrueCrypt suggested it. Others, however, brought up the assertion made from privacy advocates that BitLocker is compromised and has backdoors in place for government security agencies (from multiple countries) to decrypt your data. While Microsoft has officially said this isn’t true and maintains there’s no backdoor in BitLocker (while simultaneously maintaining the code as closed source—but available to review by its partners, which include those agencies), the assertion is enough to make more than a few of you shy away. You can read more about the criticism and controversy at the Wikipedia link above, or in the nomination thread here.
GNU Privacy Guard (Windows/OS X/Linux)
GNU Privacy Guard (GnuPG) is actually an open-source implementation of Pretty Good Privacy (PGP). While you can install the command line version on some operating systems, most people choose from the dozens of frontends and graphical interfaces for it, including the official releases that can encrypt everything from email to ordinary files to entire volumes. All GnuPG tools support multiple encryption types and ciphers, and generally are capable of encrypting individual files one at a time, disk images and volumes, or external drives and connected media. A few of you nominated specific GnuPG front-ends in various threads, like the Windows Gpg4Win, which uses Kleopatra as a certificate manager.
Those of you who nominated GnuPG praised it for being open-source and accessible through dozens of different clients and tools, all of which can offer file encryption as well as other forms of encryption, like robust email encryption for example. The key, however, is finding a front-end or a client that does what you need it to do and works well with your workflow. The screenshot above was taken using GPGTools, an all-in-one GnuPG solution that offers keychain management as well as file, email, and disk encryption for OS X. You can read more in its nomination thread here.
7-Zip (Windows/OS X/Linux)
7-Zip is actually a lightweight file archiver—and our favorite archive utility for Windows. Even though it’s amazing at compressing and organizing files for easy storage or sending over the internet, it’s also a strong file encryption tool, and is capable of turning individual files or entire volumes into encrypted volumes that only your have the keys to. It’s completely free, even for commercial use, supports 256-bit AES encryption, and while the official download is Windows only, there are unofficial builds for Linux and OS X systems as well. Most of 7-Zip’s code is GNU LGPL licensed and open to review. Compressed and encrypted .7z (or .zip, if you prefer) archives are easily portable and secure, and can be encrypted with passwords and turned into executables that will self-decrypt when they get to their intended recipient. 7-Zip also integrates with the shell of the operating system you’re using, making it usually a click away from use. It’s also a powerful command line utility.
Those of you who nominated it noted that it may not have the most robust user interface, but it gets the job done, and many of you have it installed anyway specifically for its robust file compression and decompression capabilities. You noted it’s fast, flexible, free, and easy to use, and while it may not be the fastest file encryption tool (and it’s not capable of whole volume or disk encryption), it gets the job done—especially for encrypting files you need to send to someone else and actually have them be able to access without jumping through too many hoops. Some of you noted that 7-Zip’s encrypted volumes are flexible—perhaps too flexible, since new files added to an encrypted archive aren’t encrypted (you’d have to extract them all and make a new archive for that), but it’s otherwise a minor ding. You can read more in its nomination thread here.
Now that you’ve seen the top five, it’s time to put them to an all-out vote to determine the community favorite.
We have two honorable mentions this week. First and foremost is Disk Utility (OS X), which is bundled with OS X as a disk repair and management tool. Disk Utility can also encrypt drives and volumes, and since OS X can create a compressed volume just by right-clicking a file, series of files, or a folder and selecting "Compress," Disk Utility makes encrypting anything you want extremely easy. Plus, it’s built in to OS X, so you don’t need to install anything else. You can read more about it in its nomination thread here.
Second, we should tip our hats to the venerable old TrueCrypt, our old champion, which actually earned a number of nominations in the call for contenders thread. We covered the meltdown of TrueCrypt when it happened, with the developers abruptly abandoning the project claiming that it’s no longer secure, in the middle of their independent security audit. The developers suggested switching to BitLocker, and pushed out a new version that’s widely considered compromised. However, the older version, 7.1a, is still widely regarded as safe, even though development on it has been abandoned, and the tool has been left without security updates since then. Even so, security analysts split on whether you should trust TrueCrypt or move on to another encryption utility. Many people stand by it even though it’s a dead project, others have built their own projects on top of it (see VeraCrypt, mentioned earlier), and others keep using the last safe version. We can’t recommend TrueCrypt anymore ourselves, but you can read more in its nomination thread here, and over at Steve Gibson’s page dedicated to TrueCrypt here.
Have something to say about one of the contenders? Want to make the case for your personal favorite, even if it wasn’t included in the list? Remember, the top five are based on your most popular nominations from the call for contenders thread from earlier in the week. Don’t just complain about the top five, let us know what your preferred alternative is—and make your case for it—in the discussions below.
The Hive Five is based on reader nominations. As with most Hive Five posts, if your favorite was left out, it didn’t get the nominations required in the call for contenders post to make the top five. We understand it’s a bit of a popularity contest. Have a suggestion for the Hive Five? Send us an email at firstname.lastname@example.org!
Title photo by andrey_l (Shutterstock).