How to securely store and share sensitive files

This post has been updated. It was originally posted on May 4, 2018.

Your computer is not as secure as you think. If you use it to store sensitive information—think tax forms, legal documents, and other files—you need to take extra steps to keep that data safe from prying eyes.

Protect files on your computer

Stashing sensitive files on your computer is much more convenient than hoarding stacks of papers in filing cabinets. But just as you lock your filing cabinet with a key, you need to lock those digital files so thieves and hackers can’t access them. Despite what you may think, a regular user account password is not enough. If someone has access to your device, they could easily find and steal your files with free and easy-to-obtain software.

Both Windows and macOS have built-in tools that will encrypt your files and treat your user account’s password as the key. That way, you’ll enter your password the same as you always have, but it does a lot more behind the scenes to lock down your files.

This feature can encrypt your computer, as well as your external drives. The latter ability is useful if you want to move files between PCs or lock the data under another layer of security by putting a portable drive in a physical safe. 

Here’s the catch: BitLocker requires that your computer has a special chip called a Trusted Platform Module (TPM), and not every PC comes with one. If your computer doesn’t have a TPM and you have Windows 10 or newer, you can enable BitLocker and save the encryption key on a flash drive. If your computer is running Windows 7 or newer, you also have the option to encrypt your local drive without a TPM or a USB drive. 

If all of that seems a bit complicated, you can turn to third-party options. VeraCrypt is a free program for Windows, macOS, and Linux that can encrypt your computer’s entire drive. You can also use it to encrypt certain groups of files inside their own secure “container,” though we recommend encrypting everything.

If you encrypt your hard drive (or put any files in an encrypted container), it’s incredibly important that you remember your password. Should you forget it you won’t be able to access those files at all.

“The Dropbox service can access files to do things like generate previews and allow users to interact with and collaborate on those files,” says Rajan Kapoor, head of data security at Dropbox. By making your data accessible to the platform, it can provide convenient features—but when it comes to your sensitive files, you may not feel that this is worth the trade-off. While Dropbox “performs threat modeling on every feature to probe for weaknesses,” it’s still asking you to trust its private security measures.

Some services, like SpiderOak One Backup, eschew those convenient features in favor of added security. “With other services, even when they use some encryption, you still are giving control over your files to the service,” says Jonathan Moore, CTO of SpiderOak. “The service can choose who can read the files, and even change them. With SpiderOak’s ‘trust less’ approach, we have no control over the data we host for you.” Because your data is encrypted before it ever leaves your computer, the SpiderOak service can only access that jumbled mess of encryption—not the actual files you’ve stored.

However, neither service will protect you if some ne’er-do-well actually gains access to your account. If someone else knows your Dropbox password or breaks into your account through a security breach—which has happened to Dropbox a couple of times in the past—your files will all become freely accessible to them. (To be fair, SpiderOak has also had security holes in the past, though none quite as serious as Dropbox’s breaches.) That’s why it’s incredibly important that you choose a strong, randomly-generated password and turn on two-factor authentication for every cloud service you use.

As long as you take advantage of those features, a cloud service like Dropbox or SpiderOak is probably good enough to protect most documents. But remember: When it comes to the cloud, you’re always trusting your data to someone else. If you really want an extra layer of security, you can store your files in a VeraCrypt container and then sync them to cloud storage. Even if someone got full access to your Dropbox or SpiderOak account, the bad actor would also need your VeraCrypt container’s password to access the files. Dropbox’s Help Center even recommends this approach when dealing with extra sensitive files.

Unfortunately, that isn’t very practical. Your recipient probably doesn’t use VeraCrypt, and asking them to install a whole new program just to read your files is probably going to be a non-starter. So you’ll need to try another route.

If you’re sending documents to a professional who regularly deals with sensitive documents, like a lawyer or tax preparer, they may have a “secure file box” on their website where you can drop the data. You’ll probably need to create an account to use it, but provided its developers have done their jobs, this will likely be your most secure option. (Again, there’s a big “if”: You have to trust the person managing the encrypted cloud storage.)

Of course, no matter how secure the handoff is, you’re putting your trust in the recipient: Once the file is in their hands, you can’t control how careful they are. So maybe it’s best not to fret too much. After all, they might leave their computer open without a password, or toss physical documents onto desks for all to see. That’s an unfortunate reality of the modern world. But you can at least do your part to keep sensitive information moderately secure—and hope others do theirs.