Editor’s Note: Guest author Heinrich Long is a writer at Restore Privacy, a blog dedicated to inform about best online privacy practices, secure your electronic devices, unblock restricted content and defeat censorship. As a Windows 10 user, you have numerous options for encrypting information. In this guide we will show you ways to encrypt individual files, file folders, and even entire disk drives. Each approach has its own benefits and drawbacks, so we’ll cover those, too. That way, you’ll have a better sense of which type of encryption you will need for various situations. Before we go further, here are a couple of points to keep in mind:
With Windows 7 now unsupported, and Windows 8 best forgotten as fast as possible, this guide deals only with the Windows 10 operating system. If you are encrypting a file to share with someone else and need to give them the password, you should not send them that password using the same method that you send them the file. For example, if you plan to email them the file, it would be a big security risk to also email them the password. Ideally give them the password over the telephone, a secure messaging app like Signal or Wickr Me. At the very least send it via a different email service than the one you will use for the file.
Now let’s talk about when to use the three types of encryption that you can use:
Individual file encryption Folder encryption Hard drive / Disk encryption
Individual file encryption
As the name implies, individual file encryption refers to encrypting one file at a time. Each file has its own password or key. Individual file encryption is great for files you plan to share or store in the cloud. Windows 10 users can encrypt individual files using a tool like 7-zip. You can also encrypt individual Microsoft Office files from within their apps, although this is better suited to casual person use than protection against serious adversaries.
Folder encryption
Next up is folder level encryption. This approach involves encrypting everything that is stored in a folder. Passwords or keys are assigned to the folder, not individual files. Folder encryption is a great organizational tool. For example, you could create a different encrypted folder for each member of your family. Give Sally only the password for her folder, and Jimmy only the password for his, and each can have their own private space on the same device. Note that storing a file in an encrypted folder doesn’t prevent you from also encrypting files individually.
Hard drive / Disk encryption
Hard drive or disk encryption protects the entire drive at once. To use a device with an encrypted hard drive you would need to enter the password or key when you logged on, or nothing on the disk would be accessible. This kind of encryption is a good first line of defense in case of theft. If someone stole your laptop, or ripped the drives out of one of your servers, they would need to defeat the hard drive encryption to get any data at all. You can still apply folder level encryption and individual file encryption to an encrypted disk.
Password management and file encryption
Before we dive into the details of file encryption, we need to make an important note on passwords. You need to be using a good password manager, along with good password hygiene. Why is that? Well, if you lose or forget the password for accessing your encrypted files, then they’ll probably be gone for good. A good password manager is critical. We’ve reviewed many options, including 1Password, LastPass, and many more. See our guide on the best password managers for the top recommendations and step-by-step information for good password management. Now that we’ve hit the basics, it is time for some specifics. Let’s start with…
How to encrypt files and folders on Windows 10
Your options for encrypting files and folders on Windows 10 devices depend on which version of Windows 10 you have. Windows 10 Pro and Enterprise users have a built-in encryption tool called the Encrypting File System (EFS). Any Windows 10 user, including those with the Home edition, can also use third-party apps such as 7-zip for file and folder encryption. Beyond these options, Microsoft Office apps have a basic file locking / encryption feature built in, as does Adobe Acrobat. We’ll round out our coverage of Windows 10 encryption by taking a look at these.
How to encrypt files and folders with the Encrypting File System (EFS)
The Encrypting File System (EFS) is built into the Professional and Enterprise versions of Windows 10. It is treated as an Advanced feature of the Windows File Explorer. This makes a lot of sense, since used carelessly, EFS can leave you with files you can never access again. EFS does all its encryption work in the background, including automatically creating a File Encryption Key (FEK), and encrypting that key so only the account that encrypted the file can decrypt it. All this happens automatically and transparently. Aside from a lock symbol that appears in the File Explorer next to a file or folder that is encrypted, there is no easy way to tell that a file or folder is encrypted with EFS. Unfortunately, EFS has some quirks that make it a less than ideal choice for many uses. Knowing what these are will help you decide whether EFS is the answer to your Windows 10 file encryption needs:
EFS only works on drives formatted with NTFS. If you move an EFS-encrypted file to a disk formatted with FAT32 or exFAT, it becomes decrypted. If you move an EFS-encrypted file across a network, or send it with an email message, it becomes decrypted.
If these quirks haven’t scared you away, here’s how to encrypt files and folders with EFS:
That is all you need to do, from now on, the encrypted file or folder will appear encrypted to anyone other than the user account that encrypted the item in the first place.
How to encrypt files and folders with 7-zip
7-zip is a freeware file compression program that can also encrypt files and folders using AES-256 encryption, which is the industry standard for most encrypted systems. If you plan to use 7-zip to encrypt files or folders you should know that the process creates an encrypted copy of the file or folder. The original, unencrypted file or folder is unchanged. If you are creating the encrypted item because you plan to send it somewhere, or store it in the cloud or something like that, this is fine. But if your goal is to protect the files and folders on your own device, this isn’t ideal. In the rest of this section, we’ll first look at how to encrypt files and folders with 7-zip. After that we’ll talk about what else you need to do if your goal is to protect the files and folders on your own device. The following instructions assume you already have 7-zip installed on your system. If not, you can download it here.
How to encrypt Windows 10 files and folders using 7-zip
What to do after you encrypt something with 7-zip
The result of encrypting something with 7-zip the way we did here is a zipped archive that is AES-256 encrypted. This archive appears in the same folder as the file or folder that you encrypted, alongside the original file or folder. What this means to you depends on what you plan to do with the encrypted file or folder. If you created the archive to share copies of the file or folder, this is fine. Just send the archive to the recipient. Assuming they have 7-zip or a similar program on their system (and you securely conveyed the password to them somehow), they will be able to unzip the archive, then double-click the file to enter the password in a dialog box like this one:
Once they do that, the operating system should open the file in whatever app is appropriate, and the recipient can view it, or save it, or do whatever is necessary with it. Note that they will still have the encrypted files on their system as well. If you created the archive to protect the files or folders on your system, you should skip down to the section titled, “Eliminate any possible unencrypted copies of the file” once you are done encrypting files and follow the instructions there to make sure no unencrypted copies of things are lying around where some snoop can find them.
How to encrypt Microsoft Office files on Windows 10
Some applications now have options to encrypt the types of files they themselves use. For example, Microsoft Word can encrypt Word files, and Adobe Acrobat can encrypt PDF files. We’ll demonstrate this below.
How to encrypt files using Microsoft Office on Windows
Let’s use Microsoft Word to show how it is done by encrypting a simple Word document.
From now on, the only way to view this document will be by entering the password when prompted from within a Microsoft Office application that supports the unencrypted file type. But please see the next section to eliminate any possible unencrypted copies of the file on your computer.
Eliminate any possible unencrypted copies of the file
If you use 7-zip or Microsoft Office to encrypt files, it is likely that Windows 10 still has one or more temporary copies of the unencrypted files stashed on the disk. To be safe, you will want to delete all temporary files once you are done encrypting things.
How to delete any possible unencrypted copies of the file
How to encrypt hard drives on Windows 10
When it comes to disk encryption on Windows 10, BitLocker Device Encryption is the tool that Microsoft provides. Built into Windows 10 Pro and Enterprise, BitLocker Device Encryption does exactly what it sounds like - it encrypts all the storage devices in your system. This sounds ideal, but there are some drawbacks to using BitLocker.
If BitLocker Device Encryption wasn’t preinstalled and configured on your computer, it can be a real headache to install and configure. Check out this Overview of BitLocker Device Encryption posted on Microsoft.com. BitLocker has different capabilities depending on what hardware your computer has built onto its motherboard. As mentioned earlier, BitLocker only works on Windows 10 Professional and Enterprise systems.
Happily for us, there is a great alternative available. Called VeraCrypt, it addresses all of the drawbacks we just saw:
VeraCrypt is significantly easier to install than BitLocker. VeraCrypt is not dependent on special hardware built into your computer. VeraCrypt works on every version of Windows 10, not just Pro and Enterprise.
VeraCrypt is Free, Open Source Software (FOSS), which we really like. Without getting into the OpenSource vs Proprietary software argument that plagues the computer world, from our perspective, FOSS software is generally considered more secure, and of course is free to use. Once VeraCrypt is installed, all you need to do is enter your VeraCrypt password whenever you start the computer. Given all that, you know where we’re going with this. In the following section we’ll walk you through installing VeraCrypt on one of our lab machines. Ready?
How to install VeraCrypt for Windows 10 hard drive / disk encryption
While installing VeraCrypt is much simpler than the alternative, there is more to it than just launching an installer and pressing Okay a few times. And if you mess up, there is a chance you will lose files or even access to the entire disk drive. We suggest you read through the instructions that follow before starting the process. If you are not confident you can complete the steps shown, or if you have a bad habit of losing important passwords, it is better to skip this type of encryption.
Installing VeraCrypt
Here are the steps to install VeraCrypt on Windows 10:
What We Learned
Encrypting important information is one of the best things you can do to protect yourself from everyone who is trying so hard to get their hands on your personal information. In this guide we covered techniques that Windows 10 users can use to encrypt individual files, folders, and entire drives on their Windows systems. While no one can guarantee that your data will be 100% safe against any and all attacks, the simple act of encrypting your most important data can make a big difference. Masthead credit: eamesBot