How to securely store and share sensitive files
A tin foil hat that actually works.
This post has been updated. It was originally posted on May 4, 2018.
Your computer is not as secure as you think. If you use it to store sensitive information—think tax forms, legal documents, and other files—you need to take extra steps to keep that data safe from prying eyes.
Protect files on your computer
Stashing sensitive files on your computer is much more convenient than hoarding stacks of papers in filing cabinets. But just as you lock your filing cabinet with a key, you need to lock those digital files so thieves and hackers can’t access them. Despite what you may think, a regular user account password is not enough. If someone has access to your device, they could easily find and steal your files with free and easy-to-obtain software.
In order to truly protect sensitive files, you need encryption. This technology uses complex algorithms to jumble up the data so that only people with the key—in this case, a password—can view the unscrambled version. If anyone were to steal your computer, they would see the file, but without that password, its contents would look like a garbled mess.
Both Windows and macOS have built-in tools that will encrypt your files and treat your user account’s password as the key. That way, you’ll enter your password the same as you always have, but it does a lot more behind the scenes to lock down your files.
Mac users have it easy: Turn on the FileVault feature from System Preferences > Security & Privacy > FileVault. This will encrypt your entire hard drive, preventing anyone from accessing your files unless they know your account password. If you want to store information on an external USB drive for portability, your Mac can encrypt that too: open the unit on the Disk Utility app, select it from the sidebar on the left, and follow the instructions.
Windows, unfortunately, is a bit more complicated. Some PCs automatically encrypt their files by default. You can check this by going to Settings > System > About and scrolling down to BitLocker. Click on it and in the pop-up menu, under Operating system drive, you’ll see if this tool is on or off. If it’s not activated, click on Turn on BitLocker and follow the instructions.
This feature can encrypt your computer, as well as your external drives. The latter ability is useful if you want to move files between PCs or lock the data under another layer of security by putting a portable drive in a physical safe.
Here’s the catch: BitLocker requires that your computer has a special chip called a Trusted Platform Module (TPM), and not every PC comes with one. If your computer doesn’t have a TPM and you have Windows 10 or newer, you can enable BitLocker and save the encryption key on a flash drive. If your computer is running Windows 7 or newer, you also have the option to encrypt your local drive without a TPM or a USB drive.
If all of that seems a bit complicated, you can turn to third-party options. VeraCrypt is a free program for Windows, macOS, and Linux that can encrypt your computer’s entire drive. You can also use it to encrypt certain groups of files inside their own secure “container,” though we recommend encrypting everything.
If you encrypt your hard drive (or put any files in an encrypted container), it’s incredibly important that you remember your password. Should you forget it you won’t be able to access those files at all.
Store files in the cloud
So you’ve got your computer under control, but what if you want easy access to those files on your other devices? Or if you need to back them up in case of hard drive failure? You can keep them safe in the cloud, but first, you have to know about the security of your storage service.
Many popular file-sharing services, such as Dropbox, encrypt your data—but this doesn’t make them completely private.
“The Dropbox service can access files to do things like generate previews and allow users to interact with and collaborate on those files,” says Rajan Kapoor, head of data security at Dropbox. By making your data accessible to the platform, it can provide convenient features—but when it comes to your sensitive files, you may not feel that this is worth the trade-off. While Dropbox “performs threat modeling on every feature to probe for weaknesses,” it’s still asking you to trust its private security measures.
Some services, like SpiderOak One Backup, eschew those convenient features in favor of added security. “With other services, even when they use some encryption, you still are giving control over your files to the service,” says Jonathan Moore, CTO of SpiderOak. “The service can choose who can read the files, and even change them. With SpiderOak’s ‘trust less’ approach, we have no control over the data we host for you.” Because your data is encrypted before it ever leaves your computer, the SpiderOak service can only access that jumbled mess of encryption—not the actual files you’ve stored.
However, neither service will protect you if some ne’er-do-well actually gains access to your account. If someone else knows your Dropbox password or breaks into your account through a security breach—which has happened to Dropbox a couple of times in the past—your files will all become freely accessible to them. (To be fair, SpiderOak has also had security holes in the past, though none quite as serious as Dropbox’s breaches.) That’s why it’s incredibly important that you choose a strong, randomly-generated password and turn on two-factor authentication for every cloud service you use.
As long as you take advantage of those features, a cloud service like Dropbox or SpiderOak is probably good enough to protect most documents. But remember: When it comes to the cloud, you’re always trusting your data to someone else. If you really want an extra layer of security, you can store your files in a VeraCrypt container and then sync them to cloud storage. Even if someone got full access to your Dropbox or SpiderOak account, the bad actor would also need your VeraCrypt container’s password to access the files. Dropbox’s Help Center even recommends this approach when dealing with extra sensitive files.
Send files to someone else
Keeping your files safe gets a lot more difficult if you need to share them with someone else. The most secure way to send those files (besides handing them over in person) is to encrypt them, share the encrypted version, and have the recipient decrypt them on their own machine.
Unfortunately, that isn’t very practical. Your recipient probably doesn’t use VeraCrypt, and asking them to install a whole new program just to read your files is probably going to be a non-starter. So you’ll need to try another route.
If you’re sending documents to a professional who regularly deals with sensitive documents, like a lawyer or tax preparer, they may have a “secure file box” on their website where you can drop the data. You’ll probably need to create an account to use it, but provided its developers have done their jobs, this will likely be your most secure option. (Again, there’s a big “if”: You have to trust the person managing the encrypted cloud storage.)
Without a secure file box, you should turn to your cloud-storage service of choice. Upload the file and use the built-in file-sharing features to send your recipient a link. This is safer than sending the file as an email attachment, since the recipient’s email service may not have strong security. By sharing the file through something like Dropbox, you at least know it’s traveling over HTTPS, so other people on the network can’t see it, and you’ll be able to remove the file from your cloud storage after the recipient downloads it. This method isn’t perfect (since, again, Dropbox can see your files), but it’s almost certainly better than using an email attachment.
Of course, no matter how secure the handoff is, you’re putting your trust in the recipient: Once the file is in their hands, you can’t control how careful they are. So maybe it’s best not to fret too much. After all, they might leave their computer open without a password, or toss physical documents onto desks for all to see. That’s an unfortunate reality of the modern world. But you can at least do your part to keep sensitive information moderately secure—and hope others do theirs.