Protect your sensitive information

Updated13 March 2024

Table of Contents

...Loading Table of Contents...

    Intruders may be able to read or modify your data if they manage to get hold of your device. It is always best to have several layers of defence against this possibility. Encrypting your entire devices as well as individual files is one important form of protection.

    Encryption is a way for software to scramble your information using advanced mathematics, leaving you and only you with the key to unscramble it (in the form of a password, passphrase, or encryption key). So encrypting your device is like keeping your information in a locked safe with a combination that only you know.

    Take the following steps to protect data stored on your devices.

    Consider deleting old data instead of storing it

    Learn why we recommend this

    Storing confidential data can be a risk for you and for the people you work with. Encryption reduces this risk but does not eliminate it. The first step to protecting sensitive information is to reduce how much of it you keep around. Unless you have a good reason to store a particular file, or a particular category of information within a file, you should simply delete it (see How to destroy sensitive information to learn how to do this securely).

    Consider whether encryption is illegal or suspicious in your jurisdiction

    Learn why we recommend this

    Encryption is illegal in some countries. If it is illegal in your country, downloading, installing or using encryption software might be considered a crime. Police, military, or intelligence services might take your use of encryption software as a pretext to investigate your activities or persecute your organization. Regardless of what is actually inside your encrypted volumes, and regardless of whether or not this information is legal in your area, the usage of encryption might cast suspicion on you.

    So investigate how law enforcement has treated encryption in your country, and think carefully about whether tools whose sole purpose is encrypting your data are appropriate for your situation.

    You can start researching the legal status of encryption in your country in the Global Partners Digital World map of encryption laws and policies.

    If encryption is not illegal in your country or in the countries you're travelling to, you can skip directly to Consider encrypting your whole device.

    If encryption is illegal in your country, consider the following alternatives

    Store only non-sensitive information

    Store to an encrypted cloud account

    • Consider whether making use of an encrypted cloud service would be wise given the threats you face. While these services protect your data using encryption, and store your data on servers that might be harder for your adversary to get to, if your adversaries do have access to those servers, they will have more time to try to break into your data, and may be able to do it without you detecting the break in.

    Use a system of code words

    • Store your files normally, but use code words to label sensitive names, locations, activities, etc.

    Store to an encrypted removable drive

    • You can keep sensitive information off of your computer by storing it on an encrypted USB memory stick or portable hard drive. To learn how to encrypt your entire storage device, see Consider encrypting your external storage devices below.

    • Be aware that external devices are typically even more vulnerable than computers to loss and confiscation, so carrying around sensitive information on them can be risky. When encrypting them, make sure to use a strong password that is harder to guess or crack. See Create and maintain strong passwords to learn how to create a strong password.

    Consider encrypting your whole device

    • Be aware that full-disk encryption (FDE) only works fully if your device is powered all the way off, not in the sleep mode (also known as "suspend" or "hibernate"). If your device is not switched off, someone who has physical access to it may be able to read or modify your files and communications.

    Android

    • Most devices with Android 10 and higher are required to use file-based encryption.

      To check, navigate to Settings > Security > Encryption & credentials and look for Encryption or Encrypt phone. Please note that these options may differ on your device.

    iOS

    Linux

    • You can only activate full-disk encryption when you are installing Linux, so you will need to re-install if FDE is not enabled in your computer. Before you do so:

      • Back up all your data. The installation process will replace all data stored on your previous operating system.
      • Plug your computer into a power source so that it does not switch off during the installation process.
      • Stay connected to the internet through a cable so that you can get the latest updates while you install Linux. If you are not connected to the internet through a cable you will be asked to select a wireless network, if available.
    • To install Ubuntu, read the installation tutorial in Ubuntu's official documentation.

    • For the installation you will also need to create a bootable USB stick.

    macOS

    Windows

    You can encrypt your entire Windows computer using BitLocker, the built-in device encryption system available on devices running Windows 10 or 11 Pro, Enterprise, or Education.

    • To encrypt your Windows computer using BitLocker, see the official Windows documentation
    • Encrypt older devices
      • If you encounter an error message saying "This device can't use a Trusted Platform Module," this means that your computer does not have a Trusted Platform Module (TPM) chip that is used for encryption. However, with the following configuration adjustments, BitLocker can still be used on computers without a TPM chip:
        1. Press Start. Type gpedit.msc and press Enter. In the new window, double-click Operating System Drives.
        2. In the right-hand panel of this window, double-click Require additional authentication at startup, which opens a new window. (Note: there is also a "Require additional authentication at startup (Windows Server 2008 and Windows Vista)" option; that is NOT the one you want.)
        3. Select Enabled. Ensure that Allow BitLocker without a compatible TPM (Requires a password or a startup key on a USB flash drive) is enabled. Click OK.
        4. Close the Local Group Policy Editor window.
        5. At the end of this procedure you can turn on device encryption.
    Learn why we recommend this

    If your device is lost, stolen, or seized by people who want to access your files and communications, you will need protection to stop them. Encrypting your whole device with a strong password or code offers this kind of protection.

    If your computer does not support full-disk encryption or if you prefer to use a free and open-source tool to enable disk encryption, you can use VeraCrypt to encrypt your whole device.

    Consider encrypting your external storage devices

    • Storing sensitive information in an encrypted storage device like a USB stick or portable hard drive may protect your most important data from adversaries who search your computer.
    • Be aware that external devices are usually even more vulnerable than computers to loss and confiscation, so make sure to encrypt them with a strong password that is harder to guess or crack. See Create and maintain strong passwords to learn how to create a strong password.
    • On desktops and laptops, your device may have built-in encryption options for external storage devices. Alternatively, you can use VeraCrypt to activate this additional layer of protection.

    Linux, macOS and Windows

    Whatever OS you run in your computer, you can use VeraCrypt to protect sensitive files in an external storage device. You can either create an encrypted volume within your external device or encrypt the entire storage device.

    macOS

    On macOS, you can use the built-in Disk Utility to encrypt your external storage devices. Be aware that if you choose this solution you will only be able to access your encrypted devices on macOS systems.

    Windows

    On Windows, you can use the built-in Bitlocker - available on Windows 10 and Windows 11 Pro, Enterprise or Education - to encrypt your external storage devices. Be aware that if you choose this solution you will only be able to access your encrypted devices on Windows systems.

    Tails

    Tails is an operating system that runs off a USB drive plugged into your machine. It protects all of your internet connections by using Tor at all times and erases your history when you shut it down, leaving no traces in your computer. Furthermore, you can create an encrypted volume inside the USB stick to store sensitive information that cannot be accessed by intruders who get access to your Tails stick in case you lose it or it is confiscated.

    Consider encrypting just some sensitive files

    On desktops and laptops, your device may have built-in encryption options that offer additional protection for specific files. Alternatively, you can use Cryptomator to activate this additional layer of protection on any operating system, including mobile devices. Another option to encrypt your sensitive data on computers is VeraCrypt, which also makes it possible to hide your encrypted folder.

    Learn why we recommend this

    You might find it useful to leave non-sensitive files on your device un-encrypted, so that if your device is searched it does not look suspicious because it contains ordinary, everyday files and communications. In this case, you can encrypt just some of your files.

    Windows, macOS, Linux, Android, iOS

    Whether you need to encrypt files in a computer or in a mobile device, you can use Cryptomator, a free and open-source application that was created specifically to protect the files you keep on online file storage platforms but can also be used to encrypt files you save in your device.

    To learn how to use Cryptomator, see their documentation, especially the Getting Started guide for computers.

    Windows

    macOS

    Linux, macOS and Windows

    Consider whether to store your files in a hidden volume

    Learn why we recommend this

    When you encrypt your information, nobody else may be able to read it, but someone might still be able to see that the encrypted data is there, and that you have taken steps to protect it. That adversary might then try to intimidate, blackmail, interrogate, or torture you to get you to unlock that encryption.

    VeraCrypt gives you the opportunity to avoid this risk by creating a "hidden volume." To open a hidden volume, you just need to enter a different password from the one you set for the standard volume. So if an intruder becomes suspicious about your encrypted files, they will be unable to prove hidden ones exist.

    VeraCrypt disguises your encrypted information as other, less sensitive, hidden data (like music files or ordinary documents), so it does not look unusual. It is generally considered impossible to tell from analysis whether or not an encrypted volume contains a hidden volume. So if an intruder takes you to court or intimidates you into giving up your password, you can give them the passphrase for your standard volume and they will find convincing "decoy" material, but not the information you are protecting.

    A hidden volume is like a "false bottom" in a locked safe: only you know that your safe has a secret compartment. This allows you to deny that you are keeping any secrets beyond what you already gave your adversary, and might help protect you in situations where you must reveal a password. So a hidden volume gives you a chance to escape a potentially dangerous situation. Remember, however, that this is less useful if using encryption is illegal in your country or if the fact that you are using it can raise suspicion.

    Be warned that your adversary might know that VeraCrypt can hide information in this way; there is no guarantee they will give up if you reveal your decoy password, even if plenty of people use VeraCrypt without hidden volumes.

    You must also make sure you do not accidentally reveal your hidden volume by leaving it open or allowing other applications to create shortcuts to the files it contains.

    Protect your encrypted folder or volume

    Unmount and disconnect the encrypted folder or volume

    • When your encrypted folder or volume is mounted - in other words, whenever you can access the contents yourself - your data may be vulnerable. Keep it unmounted when you are not actively reading or modifying the files inside it.
    • If you keep an encrypted volume or folder on a USB stick or external hard drive, remember that just disconnecting the external storage device may not immediately make the volume disappear from the system. Simply disconnecting may corrupt the file on the external drive. You need to unmount the volume or folder first, then eject the drive from your operating system before you can physically disconnect the device from your computer. Note that to unmount a volume all accessed files need to be closed. So if you are editing a document or looking at a photo, you need to close those files or quit the programs before you can unmount. Practice this workflow until you can do it easily, so you will be ready in case of emergency.

    Make sure to unmount and disconnect the encrypted folder or volume in all the following cases:

    • Before you walk away from your device for any length of time. This ensures you do not leave your sensitive files accessible to physical or remote intruders while you are gone.
    • Before you put your computer to sleep (also known as "suspend" or "hibernate"), either by selecting that option or by closing a laptop.
    • Before allowing someone else to handle your computer. When taking a laptop through a security checkpoint or border crossing, it is important that you disconnect all encrypted volumes and shut your computer down completely.
    • Before inserting an untrusted USB memory stick or other external storage device, including those belonging to friends or colleagues.

    Protect your device against malware

    Encryption can only protect your files if nobody can spy on you, for example, when you enter the password to decrypt them. Malicious software like spyware and other forms of malware can reduce the effectiveness of any steps you take to protect your files and communications, so try to keep your device healthy by following the recommendations in the Security in a Box guide on how to protect against malware.

    Don’t access your encrypted folder or volume on a device you don’t trust

    • An adversary may have installed malware to snoop on a device that is not in your control, like a shared computer at a net cafe. They might use this to steal your passwords and get access to your encrypted drive or other sensitive material on your device.
    Learn why we recommend this

    Following the "locked safe" metaphor, no matter how sturdy your safe is, it won't do you a whole lot of good if you leave the door open or someone can watch you as you enter the combination to open it.

    Use trusted dealers and repair shops

    • If you buy a pre-owned device, have someone you trust wipe it clean and check it for malware.
    • If you think someone might have the access, resources, or motivation to target you by pre-installing malware on your device before you buy it, carefully think about how to find a dealer you can trust.
    • If you need your device to be repaired, be sure you trust the repair shop or the person you hand it over to.
    Learn why we recommend this

    When you get a pre-owned device, or send your device to be repaired, it offers adversaries an opportunity to look at your files. Pre-owned devices may unfortunately carry malware or spyware so, if possible, it might be better to buy a new one. Repair shops have sometimes been known to spy on devices or copy and sell their data. Be sure to choose a repair shop you trust.

    If you are a well-known public figure, it is a good idea not to directly interact with repair providers and, instead, to ask someone you trust to get in touch with the shop so as to raise less curiosity regarding what your device may contain.