Encrypt Everything That You Reasonably Can

As our devices become more portable, they become easier to steal. Your primary computing device may no longer be a large, unwieldy desktop tower that never leaves your house; more likely, it is a laptop, tablet, or phone. If you use your personal computing device (hereafter simply referred to as "computer") to do anything beyond what you would feel comfortable doing on a public library computer, you probably have some sensitive documents on your computer. Losing your computer to theft is bad enough: leaving private invoice, medical, or tax documents sitting in plaintext on your computer for the thief to find merely amplifies possible harm done to you. Wherever it can reasonably be done, you should encrypt your devices.

Table of Contents

When To Use Encryption

You should consider encrypting any devices that are frequently transported and hold sensitive data. Depending on the hardware and the operating system it's running, the device can be encrypted with relative ease and with little performance overhead (meaning, you won't really notice). If you are running an up-to-date operating system (OSX / MacOS, Windows 10, iOS, Android 6.0 and above, etc.) and have a relatively recent device, you can probably handle using at least some level of encryption.

iPhones are encrypted out-of-the-box.
Chromebooks are encrypted out-of-the-box.
Windows 10 Pro, Enterprise, and Education editions have a built-in encryption option.
Android devices have a built-in encryption option.

When to NOT Use Encryption

There may be situations in which encryption is of little to no benefit, or the cons outweigh the pros. These include the following:

Unfortunately, once you make the decision to encrypt your device, you open yourself to the risk that you may forget the password. If that happens, your files are locked away forever--there is no "Forgot My Password" option for disk-level decryption. No one has the key but you. So take care to remember it or write it down and keep it somewhere safe. If your device already has files on it, you should make sure that you have everything important backed up before you decide to encrypt it.

Danger! If you encrypt your device and lose the password, your data is permanently locked! There is no "Forgot my password" option!
Warning! Older PC's and Android devices may suffer significant performance loss when full-disk encryption is enabled. Consider using file-level encryption instead unless absolute security is paramount.

Full-Disk Encryption Versus File-Level Encryption

FDE refers to encrypting the entire hard-drive (or at least, everything that isn't necessary to boot the device). When a device is fully encrypted, it must be decrypted before the operating system will even load. If the password is entered incorrectly or the drive fails to decrypt, the loading process stops there: you won't even make it to the Windows/Apple/Ubuntu logo. If a laptop carried a normal, unencrypted hard-drive with Windows installed on it, a thief who has the laptop would not be able to login to Windows without your password. However, the thief could easily remove the hard-drive from the laptop and mount it as an external drive on another computer, which would allow him to inspect the contents of the drive and look at your My Documents folder without needing a password. If the same thing were attempted with a drive that had been encrypted, the thief would need to know the decryption key/password in order to be able to inspect the files on the drive. Otherwise, all he would see would be blocks of random or gibberish data.

File-Level Encryption refers to only encrypting individual files that may be sensitive or important. For instance, if your laptop is just a Netflix/light-browsing/light-gaming machine except for a handful of tax/student loan/medical documents, you may wish to consider just encrypting those documents instead of encrypting the entire drive. Encrypting on an individual file level has some disadvantages, namely that you leave the metadata of the encrypted files exposed. A malicious individual who peers into your My Documents folder might not be able to open your tax documents, but he would still see that you have them; this could encourage him to copy them anyway, even in encrypted format, to try his hand at password cracking later. For a slightly more embarrassing example, encrypting your Porn folder would stop someone from viewing the videos, but they would still be able to see the files themselves and their salacious filenames.

A block of data that has been properly encrypted through a well-vetted algorithm should theoretically look indistinguishable from a block of unallocated or "garbage" data.
File-level encryption is not dissimilar from applying password-protection to a file. However, good encryption can hide metadata about the file as well, which attackers could otherwise use to infer details about the file.
Note: Encrypting the entire drive means that losing the key would not just lose access to your documents: you would be unable to boot into the operating system at all! Consider the level of security that is appropriate for your needs.

Encrypting Your Desktop or Laptop Computer

There are multiple methods for encrypting your desktop computer, including tools built into the operating system and third-party tools. In general, the first-party tools (i.e. those provided with the operating system) require less work to setup. However, for the truly paranoid, you might not wish to trust Apple or Microsoft to encrypt your data such that they could not be compelled by a three-letter agency to decrypt it without your consent. In which case, you may wish to rely on a third-party tool like TrueCrypt or VeraCrypt.

Listed below are some of the encryption tools available for each of the major operating systems. Stock tools provided by the OS are listed first, then third party and cross-platform tools.

First Party Full-Disk Encryption Tools:

  • OSX / MacOS : FileVault
  • Windows: Bitlocker (Windows Vista 7 / 8 / 10 Pro & Enterprise; unfortunately not available if you are using the Home Edition)
  • Linux: Most modern Debian/Ubuntu/Fedora/Arch distros offer LUKS as an option during installation. Cryptsetup can be manually configred if not.
  • ChromeOS: Your chromebook is encrypted by default. No extra setup needed.

Third Party Full-Disk Encryption Tools:

WARNING: TrueCrypt is longer maintained and is not receiving bugfixes. It is recommended to use one of its successors instead.

Third Party File Encryption Tools:

  • GNU Privacy Guard (Mac / Win / Linux)
    GPG was designed for encrypting e-mail with PGP, but can be used to encrypt anything.

    The GPG tool can be difficult to work with on its own, so developers created front-ends for the tool to avoid having to work with the command-line:
  • Cryptomator (Mac / Win / Linux)
  • AESCrypt (Mac / Win / Linux)
  • 7-Zip (Win / Linux) (designed for compression, but contains rigorous encryption options as well)
  • AxCrypt (Windows only) (Includes shell integration)
  • miniLock (ChromeOS, Mac / Win / Linux as a Chrome App)
Some of your existing applications may be able to pull double-duty as encryption programs. If you already secure your e-mail via PGP, you can use the same tool to encrypt your files. If you have 7-Zip already installed for extracting files, it can encrypt files for you as well.

Encrypting Your Phone or Tablet

If you have an iPhone, encryption should be supported out-of-the-box. In fact, if you have a passcode setup on your iPhone, chances are the device is already encrypted.

For Android devices, encryption is supported, but not on by default unless you have a handful of devices (usually of the Nexus or Pixel line). Depending on your hardware and the version of Android you are running, encryption may or may not be feasible. While encryption was available, it was not until Android 6.0 that the operating system leveraged hardware-accelerated encryption provided by the processor, meaning it was all done in software. This resulted in sizable overhead that made the performance of the device degrade over time.

Low or Mid-Range devices running Android 5.0 (Lollipop) or older: Encryption is still possible, but it may slow down your advice.

Mid-range or High-end devices running Android 6.0 (Marshmallow) or newer: Encryption can safely be enabled with little to no performance overhead.

Note that after you decide to encrypt your Android device, you will not be able to disable the lock screen on the phone/tablet. The passcode that is set serves as part of the key for the encryption process, and so it cannot be removed without disabling the encryption. Note as well that once a device is encryption, you cannot permanently decrypt it without wiping the device.

If you encrypt your Android device, you cannot disable the lockscreen.
An encrypted Android device with Smart-Lock enabled can still bypass the lockscreen when Smart-Lock is triggered.

Frequently Asked Questions

Why Can't I Just Lock My Computer Behind a Password?

Setting a password on the computer prevents someone from logging into the computer and accessing your files through the installed operating system (Windows, Mac, Linux, etc). However, it does not stop someone from removing the hard-drive from the computer and using another computer to view the contents. If the hard-drive's partition is not encrypted, someone could simply plug the hard-drive into another computer and mount the stolen hard-drive from your computer--it would show up as a browsable media peripheral like any other DVD, flash drive, or external hard-drive. At that point, your files would be freely accessible. If the drive were encrypted, however, and the thief did not know the password to properly decrypt it, the drive's contents would look like scrambled or random bits of data.

What If I Forget My Encryption Password?

Encryption is a one-way process. Once something has been encrypted, you require the original that was used to encrypt it in order to decrypt it. In most cases, this 'key' is a string or password (it can also be a file). If you do not have the key, it cannot be decrypted. Period. For this reason, you should probably keep a backup of your keyfile or passphrase somewhere.

If you make use of OSX / macOS's built-in FileVault feature, you can choose to upload a backup of the key to Apple so that it can be retrieved in case you ever forget it.

If you make use of Bitlocker, you have an option of using the Trusted Platform Module to derive a key instead of the usual PIN or passphrase. In this setup, Windows uses your computer's hardware profile to create the key. This makes the encryption process transparent to the end-user, and you will not need to manually decrypt the volume every time the computer is turned on, but Windows will still give you a Recovery Key that you should hold onto. Additionally, you can choose to tie it to your Microsoft account, and upload a backup of the key to Microsoft so that it can be retrieved in case you ever forget it.

Additional Considerations

Bitlocker: Be Careful When Updating the BIOS

Most people don't update the BIOS for kicks, but if your computer manufacturer tells you that there's a BIOS update available for your desktop or laptop, you should probably update it. Be aware, however, that if you update the BIOS, you will more than likely be prompted for your Bitlocker Recovery Key after the computer restarts. This is because the TPM checks the BIOS and the Master Boot Record (MBR) before decrypting to ensure that the device hasn't been tampered with. If it detects a change, it will request the Recovery Key before continuing with booting. While it is unlikely you will ever update the BIOS on your computer more than once or twice, simply be aware that you should have the Recovery Key handy if you have Bitlocker enabled.

Warning! Updating your BIOS may trigger a prompt for the recovery key! Always have the recovery key accessible when you update the BIOS.

Bitlocker: Do You Trust Microsoft With Your Bitlocker Key?

Your concern here about whether Microsoft should be trusted with your backup Recovery Key depends largely on your level of paranoia and your threat model. If your primary reason for encrypting your laptop is to mitigate damage in case of loss or theft, Microsoft is probably a safe place to backup your key.

If you are encrypting your laptop because you believe a state actor or a three-letter agency is after you, however, giving Microsoft a copy of your key may not be the best idea. While the risk is largely theoretical at this point, it is known that Microsoft was part of PRISM, including SkyDrive, where the backup key is stored. They have co-operated with law enforcement in the past to turn over data about their users when compelled by court order. It is thus not unreasonable to assume that if a law enforcement agency seized your Bitlocker-encrypted computer and wishes to decrypt it, they might compel Microsoft to provide the backup Recovery Key that you uploaded to them.

Danger! If you fear that you may now or ever be targeted by your government, do not upload a backup of your key to Microsoft.

FileVault: Do You Trust Apple With Your FileVault Key?

Trusting Apple with your FileVault key presents the same concern as trusting Microsoft: do you believe that Apple would refuse to provide law enforcement with the backup of your FileVault key if compelled to do so by a court order? While Apple has historically resisted attempts to help the FBI and other agencies defeat decryption, they have done so by engineering the device such that they cannot decrypt it--so that the answer is "We can't." instead of "We won't." If they are storing your backup Filevault Key, however, they very much can and probably must turn it over to law enforcement, if compelled.

If your threat model does not include the government, however, giving Apple a backup of your key could be useful if your copy is lost or forgotten.

Encrypt Your Backups

If it is paramount that your sensitive data be encrypted, you should take special care to make sure that all of your backups are encrypted, too. Otherwise, someone who is unable to break into your main computer need only find the unencrypted external hard-drive you have lying around nearby in order to access all of the backed up files in plain view.

For certain situations, you may wish to not encrypt your external storage if it contains nothing sensitive (e.g. an external hard-drive containing nothing but photos, videos, or music). In that case, you may wish to separate the sensitive from non-sensitive files onto separate drives and encrypt the sensitive drive. Or, you may wish to fall back onto file-level encryption tools to only encrypt sensitive files on the backup device.

If you are backing up to an offsite or cloud-based system, you may wish to check with the storage provider to see what their policy is regarding whether the data is stored encrypted and, if so, how. For services like Google Drive, Microsoft OneDrive, Dropbox, etc., you may wish to consider encrypting the file yourself before uploading it to the backup service so that you don't have to trust their word on it being encrypted.

A system is only as secure as its weakest point. If the regular data is encrypted, its backup should be encrypted as well.
Some services that support encrypted backups out-of-the-box include the option for a user-supplied key so that only you can decrypt the files.