How to protect the privacy of your data using file encryption in Windows
John McAfee once said:
In this age of communications that span both distance and time, the only tool we have that approximates a 'whisper' is encryption. When I cannot whisper in my wife's ear or the ears of my business partners, and have to communicate electronically, then encryption is our tool to keep our secrets secret.
This article basically summarizes the various ways of ensuring data privacy with file encryption.
📑Table of Contents:
This article covers the various ways of ensuring data privacy by file encryption. These techniques should not be used for hacking or unauthorized access.
Years back, a friend of mine was working on an important but secret project. This project was the last hope for the company before going bankrupt; it just had to succeed, and the contents were not to be let out to the public. One fateful night, he was waylaid by armed robbers on his way back from work, and everything on him got stolen, including his work laptop. Yes, you got it right. The computer, which under normal circumstances should have been left at the office, was stolen. He was in a deep mess. He hurriedly rushed to the police to report a case of theft, but they paid little attention to him. He came back home in tears, repeatedly saying, “I’m finished!!!”
A week after, the company became bankrupt, and his idea was put out by another company. Apparently, his work laptop somehow found its way to a staff of that company. This could be the only explanation because the ideas were a complete match. Imagine if he had encrypted the project folder on his laptop or even his entire hard drive; the company could still be alive.
The word encryption is derived from the Greek word “KRYPTOS” meaning hidden or secret.
From the 3 primary triads of security: Confidentiality, Integrity, and Availability, encryption helps ensure confidentiality.
Confidentiality is the process of ensuring that your data is not seen or accessed by a third party or without express consent from the owner(s) of the data.
I conducted a survey of a group of students who use windows OS to find out how they protect their data.
- 63% do nothing
- 29% depend on their windows home screen password.
- And the remaining 8% hide their files.
None of them talked about encrypting files to keep them safe.
Eventually, someone will lose an old PC/Laptop. By encrypting the information within it, you render the files inaccessible to unauthorized users.
Except for the home versions, Microsoft NTFS includes the Encrypting File System, which is present in almost all versions of the Windows Operating System.
Encrypting File System (EFS) operates by encrypting a file or folder with a symmetric key called File Encryption Key (FEK).
It makes use of a symmetric encryption algorithm due to its speed of encrypting and decrypting a large amount of data. The symmetric algorithm used depends on the version of the operating system. For example, Windows 2000 uses Data Encryption Standard (DES), Windows XP uses Advanced encryption standard(AES), etc. See various symmetric algorithms and the Operating system versions that use them.
Search for the file or folder you wish to encrypt, then right-click
- Navigate to Properties
- Navigate to Advanced properties, tick “Encrypt contents to secure data," and press OK.
- You are prompted to either encrypt the file only or together with its parent folder.
- You are then advised to Back up your file encryption certificate and key.
- After encrypting the file, the icon of the file should be locked.
Only administrators have access to the encrypted file/folder. When users attempt to view the contents of the file/folder, they are prevented from viewing it with a pop message.
- Click and open the word document you want to encrypt.
- Navigate to the File button on the top left corner.
- Click on Info and navigate to Protect Document.
- Click on Protect Documents and select an option from the drop-down menu that appears.
- Click on Encrypt with Password and remember to use a strong password. You are asked to re-enter the password. Then press OK.
- If in the nearest future, when you attempt to view the word document, you are requested to put in the password you used to encrypt the Document.
In FDE, the entire disk is encrypted. It also utilizes a symmetric encryption algorithm, using the same key to encrypt and decrypt.
This is by far the best type of encryption reason being if at any point in time the disk or drive is stolen or misplaced, it cannot be used on another device except if the secret key is known.
Trusted Platform Module (TPM) is a hardware chip embedded in a computer's motherboard. It provides full disk encryption once enabled. The trusted platform module stores cryptographic keys used for encryption. If the system does not include a TPM, it is impossible to add one. There are various tools used in performing full disk encryption.
But the most common ones are:
- Microsoft Bitlocker
Bitlocker is a full disk encryption feature included in the Windows Operating system.
It is a feature embedded within the Ultimate and Enterprise editions of both Windows Vista and Windows 7, Pro and Enterprise editions of both Windows 8 versions, Windows Server 2008, and lastly, Education, Pro, and Enterprise editions of Windows 10.
Bitlocker is not open-source software. By default, Bitlocker uses Advanced Encryption Standard (AES). This symmetric encryption algorithm uses the Cipher Block Chaining (CBC) mode of operation with a 128-bit or 256-bit key to perform the encryption.
First of all, you will need to check if the system’s motherboard comes with an embedded Trusted Platform Module (TPM).
Step 1: Locate the Start button from the taskbar and select Device Manager from the pop-up menu.
Step 2: Select Security devices and ensure that the Trusted Platform Module is enabled on your system together with its version number. Note: the Trusted Platform Module (TPM) must be version 1.2 or later to support BitLocker.
To activate Bitlocker on the system drive, the following steps should be carefully followed:
Step 1: Click on File Explorer and locate “This PC”
Step 2: Right-click on the drive you intend on encrypting
Step 3: From the drop-down menu, Turn on BitLocker. Note: It can only be turned on an administrative account
Step 4: You are prompted to choose a method you intend to unlock the device to be encrypted
- Using a password (pick a strong password)
- Or you could use a smart card to unlock the drive you intend on encrypting.
Step 5: Click on Next. You are then prompted with an option to save your backup key.
- It could be saved to your Microsoft account
- Or a flash drive
- Or a file
- Or lastly, you could print out your recovery key
Step 6: You are asked to choose how much drive space you want to encrypt. It could either be the used space only or the entire drive, each with its advantages. Then click on Next.
Step 7: Choose which encryption method to use. Note: Windows 10 (Version 1511) comes with a new disk encryption mode (XTS-AES). This mode provides extra integrity support, but it is not available on older versions of Windows. Suppose the device to be encrypted is fixed or will run on another Windows 10(Version 1511 and later). In that case, the new encryption method can be used. But if the drive will be used on an older version of Windows, you can choose the Compatible mode of encryption.
Step 8: Start encrypting. The time taken to encrypt the drive depends on how large the drive is.
Step 9: The selected drive is finally encrypted. To view the drive's contents, you have to decrypt the drive by putting in the password you used in encrypting it.
VeraCrypt is 3rd party encryption utility also used in performing full disk encryption.
It was coined from the discontinued encryption utility called TrueCrypt due to vulnerabilities embedded within it.
VeraCrypt was released on June 22nd, 2013, and it is written in 3 languages: C, C++, and Assembly. VeraCrypt can be used on all versions of Windows from XP to the present and Windows Server 2003 down to 2012
Processes involved in using VeraCrypt on a Windows Operating System
Step 1: Download VeraCrypt, run the installer and click on the “Install” option while maintaining all default settings.
Step 2: After VeraCrypt is installed, launch the software
Step 3: Navigate to the system, then click on encrypt System Partition/Drive
Step 4: You will be asked whether you are interested in running normal or hidden encryption.
- The Normal option encrypts a partition of a system or drives in a standard manner. When you boot your computer, you will be prompted to enter your encryption password. Without your password, no one will be able to access your files.
- The Hidden option installs an operating system in a VeraCrypt volume that is hidden from view.
You will have both the hidden operating system, which is in actual the real one, and a fake/decoy operating system. When you fire up your system, you will be prompted to enter the real password to boot your hidden operating system or the fake operating system password to boot the decoy operating system.
Suppose in any situation under duress, and you are asked to provide access to your encrypted drive. In that case, you can give up access to your fake OS instead. This ensures Plausible deniability.
Step 5: Then, you are prompted to either encrypt the windows partition or your entire drive. VeraCrypt then proceeds to ask how many operating systems you currently have on your system.
Step 6: You are then asked to pick the encryption algorithm you intend on using. You can stick to the default AES encryption and SHA-256 Hash Algorithm.
Step 7: You are then asked to enter a password. Note: It is essential to use a strong password or passphrase.
Step 8: VeraCrypt will prompt you to move your mouse around the window at random. It makes use of these random mouse movements to strengthen your encryption keys. When you've finished filling the meter, press the "Next" button.
Step 7: You are forced to create a rescue disk image before you can continue.
Step 8: VeraCrypt will now check that everything is working correctly before encrypting your drive. When you press the "Test” button, VeraCrypt will install the VeraCrypt bootloader on your computer and restart it. When it boots, you'll be prompted to enter your encryption password.
Step 9: Sign in to your PC then you should see a "Pretest Completed” window. Then click on Encrypt button.
Ensuring data privacy should be taken with utmost importance. This article provided means and techniques for securing your data's confidentiality in the Windows Operating System through file, folder, or drive encryption.
Please use the information and guidelines in this article to help protect yourself, your family, and your friends.
If you are interested in knowing more about file encryption or have questions to ask, please let me know by leaving a comment below.