Protect the sensitive files on your device

Updated21/05/2021

Table of Contents

...Loading Table of Contents...

    Intruders may be able to read or modify your data over the Internet, remotely. If they manage to get hold of your device, they may be able to read or modify your data in person. It is always best to have several layers of defense against these possibilities. Encrypting files saved on your machine is one important form of protection.

    Encryption is a way for software to scramble your information using advanced mathematics, leaving you and only you with the key to unscramble it (in the form of a password or encryption key). So encrypting your device is like keeping your information in a locked safe with a combination that only you know.

    Take the following steps to protect data stored on your devices.

    Consider deleting old data instead of storing it

    Learn why we recommend this

    Storing confidential data can be a risk for you and for the people you work with. Encryption reduces this risk but does not eliminate it. The first step to protecting sensitive information is to reduce how much of it you keep around. Unless you have a good reason to store a particular file, or a particular category of information within a file, you should simply delete it (see How to destroy sensitive information for more information about how to do this securely).

    Consider whether encryption is illegal or suspicious in your jurisdiction

    Learn why we recommend this

    Encryption is illegal in some countries. If it is illegal in your country, downloading, installing or using encryption software might be considered a crime. Police, military, or intelligence services might use your use of encryption software as a pretext to investigate your activities or persecute your organization. Regardless of what is actually inside your encrypted volumes, or regardless of whether or not is legal in your area, they might cast suspicion on you for using encryption. So investigate how law enforcement has treated encryption in your area, and think carefully about whether tools whose sole purpose is encrypting your data are appropriate for your situation.

    If encryption is illegal in your region, consider these alternatives:

    Store only non-sensitive information

    Use steganography

    • Steganography is any method of disguising sensitive information so that it appears to be something else, in order to avoid drawing unwanted attention. There are tools to help with this, but using them properly requires very careful preparation, and you still risk incriminating yourself in the eyes of anyone who learns what tool you have used.

    Use a system of code words

    • This is a form of steganography. Store your files normally, but use code words to label sensitive names, locations, activities, etc.

    Store to an encrypted removable drive

    • You can keep sensitive information off of your computer by storing it on a USB memory stick or portable hard drive. However, such devices are typically even more vulnerable than computers to loss and confiscation, so carrying around sensitive, unencrypted information on them is usually a bad idea.

    Store to an encrypted cloud account

    • Consider whether making use of an encrypted cloud service account, such as Tresorit, would be wise given the threats you face. While these services protect your data using encryption, and store your data in on servers that might be harder for your adversary to get to, if they do have access to those servers, they will have more time to try to break in to your data, and will be able to do it without you detecting the break in.

    Consider encrypting your whole device

    • Be aware that disk encryption only works if your device is powered all the way off. If it is on, and all you need to do is enter a password to get to your files and communications, someone who takes your device may find it easy to get in.

    Android

    iOS

    Linux

    • To encrypt using the OS's built-in system:
      • You can only configure full-disk encryption when you are installing Ubuntu on your laptop for the first time, so you may need to re-install. Before you do so:
      • Back up all of your data. Once Ubuntu is installed, it will replace all data stored on your previous operating system.
      • Plug your computer into a power source so that it does not switch off during the installation process.
      • Stay connected to the internet so that you can get the latest updates while you install Ubuntu. If you are not connected to the internet you will be asked to select a wireless network, if available.
      • Create a bootable USB stick. View Ubuntu's guide for the device where you are creating it:

    Mac

    Windows

    • Encrypt using the OS's built-in system

      • Encrypt older devices

      • If you encounter an error message saying "This device can't use a Trusted Platform Module," your computer does not have a Trusted Platform Module (TPM) chip that is used for encryption. However, with the following configuration adjustments, BitLocker can still be used on computers without a TPM chip:

        Step 1. Press Start. Type gpedit.msc and press Enter. In the new window, double-click "Operating System Drives."

        Step 2. In the right-hand panel of this window, double-click "Require additional authentication at startup," which opens a new window. Note: there is also a "Require additional authentication at startup (Windows Server 2008 and Windows Vista)" option; that is NOT the one you want.

        Step 3. Select Enabled. Ensure that "Allow BitLocker without a compatible TPM (Requires a password or a startup key on a USB flash drive)" is enabled. Click OK.

        Step 4. Close the Local Group Policy Editor window.

        Step 5. Turn on device encryption.

    Learn why we recommend this

    If your device is lost, stolen, or seized by people who want to look at your files and communications, you will need protection to stop them. Encrypting your whole device protects it.

    On desktops and laptops, youur device may have built-in encryption options. VeraCrypt can also offer additional protection to specific files, external drives, or can encrypt your whole device if you prefer.

    Consider encrypting only some of your files

    Linux, Mac, and Windows

    Learn why we recommend this

    You might find it useful to leave non-sensitive files on your device un-encrypted, so that if your device is searched, your device does not look suspicious because it contains ordinary, everyday files and communications. In this case, encrypt only some of your files.

    Consider whether to make a hidden volume

    Learn why we recommend this

    When you encrypt your information, nobody else may be able to read it, but someone might still be able to see that the encrypted data is there, and that you have taken steps to protect it. That adversary might then try to intimidate, blackmail, interrogate, or torture you to get you to unlock that encryption.

    VeraCrypt gives you the opportunity to avoid this risk by making a "hidden volume." You open VeraCrypt's hidden volume by providing a different password from the one you normally use. Even if a technically sophisticated intruder gains access to your "unhidden" encrypted files, they will be unable to prove hidden ones exist.

    VeraCrypt disguises your encrypted information as other, less sensitive, hidden data (like music files or ordinary documents), so it does not look unusual. It is generally considered impossible to tell from analysis whether or not an encrypted volume contains a hidden volume. So if an intruder steals your key, takes you to court, or intimidates you into giving up your password, they will find convincing 'decoy' material, but not the information you are protecting.

    This is like having a locked safe with a "false bottom:" only you know that your safe has a hidden compartment. This allows you to deny that you are keeping any secrets beyond what you already gave your adversary, and might help protect you in situations where you must reveal a password. This gives you a chance to escape a potentially dangerous situation. Know, however, that this is less useful if just being caught with a safe in your office might arouse suspicion.

    Be warned your adversary might know VeraCrypt can hide information in this way; there is no guarantee they will give up if you reveal your decoy password. But plenty of people use VeraCrypt without hidden volumes.

    You must also make sure you do not accidentally reveal your hidden volume by leaving it open or allowing other applications to create shortcuts to the files that it contains.

    Protect your encrypted drive

    Unmount

    • When your VeraCrypt volume is 'mounted'--in other words, whenever you can access the contents yourself-- your data may be vulnerable. Keep it unmounted when you are not actively reading or modifying the files inside it.
    • If you keep an encrypted volume on a USB memory stick, remember that just removing the USB stick may not immediately disconnect the volume. You need to "unmount" the drive first, then disconnect the external drive or memory stick, then remove the device. Practice this until you can do it easily, so you will be ready in case of a raid or other emergency.

      Disconnect the drive

    • .. when you walk away from your device for any length of time. This ensures you do not leave your sensitive files accessible to physical or remote intruders while you are gone.
    • ... when you put your computer to sleep (also known as "suspend" or "hibernate"), either by selecting that option or by closing a laptop.
    • ... before allowing someone else to handle your computer. When taking a laptop through a security checkpoint or border crossing, it is important that you disconnect all encrypted volumes and shut your computer down completely.
    • ... before inserting an untrusted USB memory stick or other external storage device, including those belonging to friends and colleagues.

      Don’t access your encrypted drive on a device you don’t trust

    • An adversary may have installed malware to snoop on a device that is not in your control, like a computer at a net cafe. They might use this to steal your passwords and get access to your encrypted drive or other sensitive material on your device.

    Learn why we recommend this

    Following the "locked safe" metaphor, no matter how sturdy your safe is, it won't do you a whole lot of good if you leave the door open. Follow these steps to protect your encrypted drive.

    Use trusted dealers and repair shops

    • If you buy a pre-owned device, have someone you trust wipe it clean and check it for malware.
    • If you think someone might have the access, resources, or motivation to target you by pre-installing malware on your device before you buy it, consider choosing an authorised phone dealer at random.

    Learn why we recommend this

    When you get a pre-owned device, or send your device to be repaired, it offers adversaries an opportunity to look at your files. Pre-owned phones may unfortunately carry malware or spyware, so if possible, it might be better to buy a new device. Repair shops have also sometimes been known to spy on devices or sell their data. Be sure to choose a repair shop you trust.