Protect the sensitive files on your computer

Updated21/05/2021

Table of Contents

...Loading Table of Contents...

    Intruders may be able to read or modify your data over the Internet, remotely. If they manage to get hold of your device, they may be able to read or modify your data in person. It is always best to have several layers of defense against these possibilities. Encrypting files saved on your machine is one important form of protection.

    Encryption is a way for software to scramble your information using advanced mathematics, leaving you and only you with the key to unscramble it (in the form of a password or encryption key). So encrypting your device is like keeping your information in a locked safe with a combination that only you know.

    Take the following steps to protect data stored on your devices.

    Consider deleting old data instead of storing it

    Why? Storing confidential data can be a risk for you and for the people you work with. _Encryption reduces this risk but does not eliminate it. The first step to protecting sensitive information is to reduce how much of it you keep around. Unless you have a good reason to store a particular file, or a particular category of information within a file, you should simply delete it (see How to destroy sensitive information for more information about how to do this securely)._

    Consider encrypting some of your files

    Why? You might find it useful to leave non-sensitive files on your device un-encrypted, so that if your device is searched, your device does not look suspicious because it contains ordinary, everyday files and communications. In this case, encrypt only some of your files.

    Linux, Mac, and Windows

    Consider whether encryption is illegal or suspicious in your jurisdiction

    Why? Encryption is illegal in some countries. If it is illegal in your country, downloading, installing or using encryption software might be considered a crime. Police, military, or intelligence services might use your use of encryption software as a pretext to investigate your activities or persecute your organization. Regardless of what is actually inside your encrypted_ volumes, or regardless of whether or not is legal in your area, they might cast suspicion on you for using encryption. So investigate how law enforcement has treated encryption in your area, and think carefully about whether tools whose sole purpose is encrypting your data are appropriate for your situation.

    If encryption is illegal in your region, consider these alternatives:

    Store only non-sensitive information

    Use steganography

    • Steganography is any method of disguising sensitive information so that it appears to be something else, in order to avoid drawing unwanted attention. There are tools to help with this, but using them properly requires very careful preparation, and you still risk incriminating yourself in the eyes of anyone who learns what tool you have used.

      Use a system of code words

    • This is a form of steganography. Store your files normally, but use code words to label sensitive names, locations, activities, etc.

      Store to an encrypted removable drive

    • You can keep sensitive information off of your computer by storing it on a USB memory stick or portable hard drive. However, such devices are typically even more vulnerable than computers to loss and confiscation, so carrying around sensitive, unencrypted information on them is usually a bad idea.

      Store to an encrypted cloud account

    • Consider whether making use of an encrypted cloud service account, such as Tresorit, would be wise given the threats you face. While these services protect your data using encryption, and store your data in on servers that might be harder for your adversary to get to, if they do have access to those servers, they will have more time to try to break in to your data, and will be able to do it without you detecting the break in.

    Consider encrypting your whole device

    Why? If your device is lost, stolen, or seized by people who want to look at your files and communications, you will need protection to stop them. Encrypting your whole device protects it.

    Decide whether to use VeraCrypt or something built in to encrypt your whole device

    Why? On desktops and laptops, you have options. Consider whether your device's built-in disk encryption is enough protection, or whether an additional solution, VeraCrypt, would offer better protection.

    All devices

    • Be aware that disk encryption only works if your device is powered all the way off. If it is on, and all you need to do is enter a password to get to your files and communications, someone who takes your device may find it easy to get in.

    Android

    iOS

    Consider whether to make a hidden volume

    Why? When you encrypt your information, nobody else may be able to read it, but someone might still be able to see that the encrypted data is there, and that you have taken steps to protect it. That adversary might then try to intimidate, blackmail, interrogate, or torture you to get you to unlock that encryption.

    VeraCrypt gives you the opportunity to avoid this risk by making a "hidden volume." You open VeraCrypt's hidden volume by providing a different password from the one you normally use. Even if a technically sophisticated intruder gains access to your "unhidden" encrypted files, they will be unable to prove hidden ones exist.

    VeraCrypt disguises your encrypted information as other, less sensitive, hidden data (like music files or ordinary documents), so it does not look unusual. It is generally considered impossible to tell from analysis whether or not an encrypted volume contains a hidden volume. So if an intruder steals your key, takes you to court, or intimidates you into giving up your password, they will find convincing 'decoy' material, but not the information you are protecting.

    This is like having a locked safe with a "false bottom:" only you know that your safe has a hidden compartment. This allows you to deny that you are keeping any secrets beyond what you already gave your adversary, and might help protect you in situations where you must reveal a password. This gives you a chance to escape a potentially dangerous situation. Know, however, that this is less useful if just being caught with a safe in your office might arouse suspicion.

    Be warned your adversary might know VeraCrypt can hide information in this way; there is no guarantee they will give up if you reveal your decoy password. But plenty of people use VeraCrypt without hidden volumes.

    You must also make sure you do not accidentally reveal your hidden volume by leaving it open or allowing other applications to create shortcuts to the files that it contains.

    Protect your encrypted drive

    Why? Following the "locked safe" metaphor, no matter how sturdy your safe is, it won't do you a whole lot of good if you leave the door open. Follow these steps to protect your encrypted drive.

    Unmount

    • When your VeraCrypt volume is 'mounted'--in other words, whenever you can access the contents yourself-- your data may be vulnerable. Keep it unmounted when you are not actively reading or modifying the files inside it.
    • If you keep an encrypted volume on a USB memory stick, remember that just removing the USB stick may not immediately disconnect the volume. You need to "unmount" the drive first, then disconnect the external drive or memory stick, then remove the device. Practice this until you can do it easily, so you will be ready in case of a raid or other emergency.

      Disconnect the drive:

    • .. when you walk away from your device for any length of time. This ensures you do not leave your sensitive files accessible to physical or remote intruders while you are gone.
    • ... when you put your computer to sleep (also known as "suspend" or "hibernate"), either by selecting that option or by closing a laptop.
    • ... before allowing someone else to handle your computer. When taking a laptop through a security checkpoint or border crossing, it is important that you disconnect all encrypted volumes and shut your computer down completely.
    • ... before inserting an untrusted USB memory stick or other external storage device, including those belonging to friends and colleagues.

      Don’t access your encrypted drive on a device you don’t trust

    • An adversary may have installed malware to snoop on a device that is not in your control, like a computer at a net cafe. They might use this to steal your passwords and get access to your encrypted drive or other sensitive material on your device.

    Use trusted dealers and repair shops

    Why? When you get a pre-owned device, or send your device to be repaired, it offers adversaries an opportunity to look at your files. Pre-owned phones may unfortunately carry malware or spyware, so if possible, it might be better to buy a new device. Repair shops have also sometimes been known to spy on devices or sell their data. Be sure to choose a repair shop you trust.

    • If you buy a pre-owned device, have someone you trust wipe it clean and check it for malware.
    • If you think someone might have the access, resources, or motivation to target you by pre-installing malware on your device before you buy it, consider choosing an authorised phone dealer at random.